Patelco Credit Union has agreed to settle a class action lawsuit over a June 2024 ransomware attack for $7.25 million, with preliminary court approval granted on June 9, 2025. The settlement covers more than 1 million account holders whose personal and financial information was compromised when the Dublin, California-based nonprofit financial cooperative experienced a system breach lasting over two weeks.
This settlement marks a significant recovery for victims of one of 2024’s most damaging attacks on a financial institution, providing compensation while Patelco Credit Union faces additional regulatory penalties and mandatory cybersecurity improvements. This article covers what happened during the breach, what personal information was exposed, how the settlement amount will be distributed, the claim filing process for affected customers, and the regulatory actions Patelco has agreed to undertake. Understanding your rights as a member of Patelco during this settlement window is crucial—affected account holders have limited time to file claims once the settlement administrator contacts class members, and different types of claims may qualify for different compensation levels.
Table of Contents
- What Happened in the Patelco Credit Union Data Breach?
- What Personal Data Was Exposed in This Breach?
- How Much Is the Settlement and How Will It Be Distributed?
- How Do You File a Claim in the Patelco Settlement?
- What Are the Regulatory Penalties and Cybersecurity Requirements?
- Who Are the Named Plaintiffs and What Were the Allegations?
- What Does This Settlement Mean for Other Financial Institutions?
- Conclusion
What Happened in the Patelco Credit Union Data Breach?
In June 2024, Patelco Credit Union fell victim to a ransomware attack that forced the institution to take its systems offline for more than two weeks. The attack exposed the personal and financial data of over 1 million account holders, making it one of the largest breaches of a California financial institution in recent years. During the outage, members could not access their accounts, transfer funds, or obtain customer service, creating widespread disruption for a credit union with deep roots in Northern California serving employees of Pacific Gas and Electric Company and the greater public.
The ransomware attack compromised a vast range of sensitive information including names, dates of birth, home addresses, Social Security numbers, driver’s license numbers, and email addresses. While there is no public evidence that funds were directly stolen from member accounts during the breach, the exposure of this combination of data puts victims at elevated risk for identity theft, fraud, and targeted phishing attacks for years to come. For comparison, other financial institution breaches of similar scale (such as the MOVEit vulnerability that affected multiple financial services firms) typically result in litigation spanning several years, making Patelco’s relatively quick settlement unusual in the financial sector.
What Personal Data Was Exposed in This Breach?
The data compromised in the Patelco breach includes the most sensitive personal identifiers: names, dates of birth, addresses, social Security numbers, driver’s license numbers, and email addresses. This combination is particularly dangerous because it contains nearly everything needed for identity theft, account takeover, and fraudulent credit applications. Cybercriminals can use this information to open new credit accounts, file fraudulent tax returns, or conduct targeted social engineering attacks that are more convincing because they already know legitimate personal details about the victim.
However, it’s important to note that financial account numbers and login credentials were not publicly disclosed as part of this breach, which limits the immediate risk of funds being transferred directly. That said, victims should still monitor their credit reports and bank accounts closely, as criminals can use the exposed information to reset passwords, impersonate victims to customer service, or commit other forms of fraud. The settlement requires Patelco to fund a claims process specifically because the exposure of this data is expected to increase identity theft risk for years, potentially requiring victims to pay for credit monitoring, fraud resolution services, and other protective measures.
How Much Is the Settlement and How Will It Be Distributed?
The $7.25 million settlement fund is designed to compensate affected class members for their losses and the costs associated with protecting themselves against identity theft. This amount does not include the $100,000 fine that Patelco agreed to pay to California’s Department of Financial Protection and Innovation (DFPI), which was finalized in February 2025 and is directed toward state regulatory purposes rather than victim compensation. The $7.25 million figure must cover not only direct claims from victims who suffered fraud but also administrative costs for the settlement administrator, attorney fees (approved by the court), and notice costs to inform all class members.
Individual claim amounts will be determined after final court approval when the settlement administrator opens the claims window. Typically in data breach settlements, class members fall into different compensation tiers: some may qualify for direct reimbursement if they can prove they suffered identity theft or fraud related to the breach, while others receive smaller per-person payments as part of a general distribution. The settlement fund will be divided based on the number and type of valid claims received, so the amount each affected individual receives depends on how many class members file claims and the nature of their losses. This means early action is important—waiting months after the claims window opens could result in a smaller proportional payment if the fund is divided among more claimants than anticipated.
How Do You File a Claim in the Patelco Settlement?
Once the Alameda County Superior Court grants final approval of the settlement, a settlement administrator will be appointed to manage the claims process. The administrator will send official notice to all identified class members using the contact information Patelco has on file, explaining the deadline to file a claim and the required documentation. For most data breach settlements of this type, claimants must submit proof of injury—such as identity theft reports, credit card fraud statements, or documentation of services purchased to protect themselves against fraud—to receive full compensation.
Filing a claim typically involves completing a claim form and submitting supporting documentation within the specified filing window, which is usually open for 60 to 90 days after notices are mailed. Account holders should save this notification when it arrives and act promptly rather than delaying, as many class members miss claim deadlines and forfeit their compensation. Those who cannot document specific fraud or losses may still qualify for a residual award from any unclaimed portion of the settlement fund, though these amounts are typically much smaller. In the meantime, affected Patelco members should monitor their credit reports through the free annual reports available at annualcreditreport.com and consider placing a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, and TransUnion) at no cost.
What Are the Regulatory Penalties and Cybersecurity Requirements?
Beyond the $7.25 million settlement fund, Patelco Credit Union faces significant regulatory consequences through California’s Department of Financial Protection and Innovation. The DFPI issued a $100,000 fine in February 2025 and entered into a consent order requiring Patelco to substantially improve its cybersecurity systems and practices. These requirements are separate from the civil lawsuit settlement and are enforceable independently by state regulators, meaning Patelco must comply or face additional penalties.
It’s important to understand that the settlement agreement itself does not require Patelco to admit wrongdoing or liability for the breach. Instead, the credit union settles to avoid the expense and uncertainty of prolonged litigation—a common approach in civil settlements. However, the regulatory consent order from the DFPI is not a settlement but a formal mandate, meaning Patelco is legally obligated to implement the specified cybersecurity improvements or face enforcement action. The combination of the civil settlement and regulatory penalties creates multiple pressure points on the institution to reform, which may provide some assurance to remaining members that the credit union is being required to make substantive security improvements.
Who Are the Named Plaintiffs and What Were the Allegations?
The class action lawsuit was brought by 12 named plaintiffs who represent all other account holders affected by the breach. These plaintiffs alleged that Patelco was negligent in protecting member data and violated California’s Consumer Privacy Act by failing to maintain adequate safeguards against foreseeable cybersecurity threats. The allegations of negligence focus on whether Patelco’s security systems were adequate for an institution managing sensitive financial data for over 1 million customers, while the CCPA violation claims argue that Patelco failed in its legal obligation to protect consumers’ personal information.
The settlement covers all Patelco account holders whose information was compromised in the June 2024 breach, regardless of whether they suffered demonstrable fraud or loss. This “settlement class” is automatically defined by the court as all individuals whose data was exposed, meaning affected members do not need to “join” the lawsuit—they are included by default. Members of the settlement class will receive notice of their rights and the claim filing deadline, and they have the option to object to the settlement if they believe it is unfair, though such objections are rarely successful once preliminary approval has been granted by a judge.
What Does This Settlement Mean for Other Financial Institutions?
The Patelco settlement is one of an increasing number of high-value data breach settlements affecting financial institutions and demonstrates that credit unions and banks cannot avoid significant liability when customer data is compromised, even if they argue they took reasonable security measures. The trend of larger settlements and regulatory fines suggests that financial institutions should expect greater scrutiny and higher financial exposure for cybersecurity incidents going forward. Customers should use this pattern as evidence that institutions facing security breaches can be held accountable through litigation and regulatory action, which provides at least some deterrent effect.
Looking forward, the combination of the $7.25 million settlement fund and the $100,000 DFPI fine creates a total financial impact exceeding $7.35 million, plus the cost of mandatory cybersecurity improvements and ongoing regulatory monitoring. For other financial institutions, this settlement serves as a warning that ransomware attacks and data breaches will result in substantial litigation costs, regulatory penalties, and mandatory security upgrades—costs that far exceed the price of investing in robust cybersecurity from the outset. Patelco members and other account holders at financial institutions should advocate for and verify that their banks and credit unions are implementing modern security practices, including multi-factor authentication, regular security audits, and robust encryption of sensitive data.
Conclusion
The Patelco Credit Union data breach settlement represents a significant recovery for more than 1 million account holders whose personal and financial information was compromised during a June 2024 ransomware attack. With preliminary court approval granted in June 2025 and a $7.25 million settlement fund in place, affected members can expect notice from a settlement administrator once final approval is granted, along with clear instructions on how to file claims and what documentation is required. The settlement does not require Patelco to admit wrongdoing, but the institution is obligated to comply with additional cybersecurity requirements mandated by California’s Department of Financial Protection and Innovation through a separate consent order.
Affected account holders should act promptly when they receive notice from the settlement administrator, file any claims they are eligible for, and take proactive steps to protect themselves against identity theft and fraud. These protective steps should include monitoring credit reports, placing a fraud alert or credit freeze with the three major credit bureaus, and remaining vigilant for phishing emails or calls that may target them using the personal information exposed in the breach. For those who have already experienced fraud or identity theft related to the breach, the settlement claims process offers the opportunity to seek reimbursement for documented losses—a critical lifeline for victims of this large-scale financial institution compromise.