Patelco Credit Union agreed to pay $7.25 million to settle a class action lawsuit over a 2024 ransomware attack that compromised the personal information of approximately 726,000 current and former members. The settlement provides affected members with two paths to compensation: those who experienced documented financial losses from identity theft, credit monitoring, or credit freezes can claim up to $5,000 per person, while members without documented losses receive a pro rata payment of $100–$200 determined by the total number of valid claims filed. This settlement represents one of the growing number of financial institution data breaches that have resulted in substantial payouts to consumers in recent years, following patterns similar to other major credit union and bank breaches. The settlement also includes a $100,000 fine imposed by California’s Department of Financial Protection and Innovation (DFPI) and requires Patelco to implement cybersecurity improvements.
This article covers the breach details, eligibility requirements, compensation structure, regulatory action, and the steps you need to take to claim your settlement benefits before the June 11, 2026 deadline. The ransomware attack that triggered this settlement began on May 23, 2024, but wasn’t publicly discovered until June 29, 2024. During the initial investigation period, Patelco members faced a complete shutdown of online banking services from June 29 through July 15, 2024—approximately two weeks of disruption when customers couldn’t access accounts, transfer funds, or conduct routine banking online. This extended outage compounded the damage from the breach itself, leaving members without online access to their financial accounts during a critical period.
Table of Contents
- What Was the Patelco Ransomware Attack and Why Is There a Settlement?
- Understanding the Timeline of the Patelco Attack and Service Disruption
- Who Is Eligible for the Patelco Settlement and What Data Was Compromised?
- How Much Can You Claim: Documented Losses vs. Pro Rata Payments?
- What Regulatory Action Did the DFPI Take Against Patelco?
- Filing Your Claim: Deadline and Process
- Protecting Your Credit Union Account and Data After a Breach
- Conclusion
What Was the Patelco Ransomware Attack and Why Is There a Settlement?
In May 2024, Patelco Credit Union fell victim to a ransomware attack that exposed sensitive personal information belonging to roughly 1 million current and former members, though approximately 726,000 members are directly included in the settlement class. The attackers stole names, dates of birth, home addresses, Social Security numbers, driver’s license numbers, and email addresses—the type of comprehensive identity theft-enabling data that puts victims at serious risk for years after a breach. Ransomware attacks function differently than typical data breaches: attackers encrypt an organization’s systems and demand payment for the decryption key, while simultaneously threatening to publish stolen data. In Patelco’s case, the breach triggered the lawsuit because members suffered both the immediate inconvenience of losing online banking access and the long-term risk of identity theft from exposed personal data. The settlement was negotiated in the class action lawsuit *Cordell, et al.
v. Patelco Credit Union*, which represents all members whose information was compromised in the attack. Rather than proceed to trial with uncertain outcomes, Patelco agreed to the $7.25 million settlement to resolve all claims. This amount reflects both compensatory damages for direct losses members experienced and damages for the breach itself. The settlement is considerably larger than what many members could recover individually through small claims court or insurance, which is why class actions exist—they pool damages so that the payment is meaningful rather than symbolic.
Understanding the Timeline of the Patelco Attack and Service Disruption
The Patelco breach unfolded in stages that matter for understanding what members experienced. The ransomware infection began on May 23, 2024, but the attack remained undetected for more than a month. On June 29, 2024, Patelco publicly announced the breach and immediately shut down online banking services to contain the damage and prevent further unauthorized access.
This shutdown lasted until July 15, 2024—a two-week period during which members relying on online banking for bill payments, account transfers, or checking balances had to use alternative methods like calling customer service, visiting branches, or using ATMs. While some members adapted easily to this disruption, others faced real hardship: think of a small business owner who makes daily transfers to payroll accounts or someone overseas needing to manage their account quickly without branch access. The timing of the discovery is relevant for another reason: regulators later found that Patelco’s cybersecurity practices didn’t meet current standards, suggesting the malware likely sat undetected in their systems for weeks before affecting operations visibly. This delay between infection and discovery is unfortunately common in corporate breaches, which is why the DFPI’s subsequent enforcement action required Patelco to implement proactive monitoring and faster detection capabilities going forward.
Who Is Eligible for the Patelco Settlement and What Data Was Compromised?
Any member of Patelco Credit Union whose information was compromised in the May 2024 ransomware attack is eligible to claim settlement benefits. This includes both current members and former members whose data remained in Patelco’s systems at the time of the breach. The affected data encompasses names, dates of birth, home addresses, Social Security numbers, driver’s license numbers, and email addresses. This comprehensive data profile is particularly concerning because it contains the core identifiers needed to commit identity theft: scammers can use the Social Security number and name together to open fraudulent accounts in someone’s name, apply for credit, file tax returns, or conduct medical identity theft.
Importantly, different members face different risks depending on what subset of data the attackers accessed or have publicly released. Some victim classes in data breaches are limited to customers whose SSNs were stolen, while others include members affected by the service disruption alone. The Patelco settlement covers all members in the original attack scope, regardless of specific data exposed, because the entire membership list was at risk. However, if you were not a Patelco member at any time up to the June 29, 2024 public disclosure date, you cannot file a claim, even if you became a member afterward. The settlement claims period and eligibility are locked to the breach discovery date, not to when you join or use the credit union.
How Much Can You Claim: Documented Losses vs. Pro Rata Payments?
The settlement compensation structure offers two distinct paths depending on what losses you can document. If you incurred measurable out-of-pocket expenses related to the breach, you can file a claim for documented losses up to $5,000. These eligible losses include credit monitoring fees you paid after the breach, costs to place credit freezes, credit repair services, identity theft remediation expenses (such as fees to restore fraudulently opened accounts), and documented losses from fraudulent identity theft activity (like unauthorized charges or accounts opened in your name). To claim documented losses, you’ll need receipts, billing statements, or other proof of payment. For example, if you paid $300 for a year of credit monitoring after learning about the breach, and another $150 to place security freezes with all three credit bureaus, you could claim $450 in documented losses.
For members who didn’t incur direct financial losses—which may include many customers who benefited from free credit monitoring offers or didn’t experience fraud—the settlement provides a pro rata payment of $100–$200. The exact amount depends on how many valid claims are filed: if relatively few people claim the settlement, per-person payments will be higher; if many claim it, they’ll be lower. This pro rata structure is a standard settlement mechanism that ensures all members benefit proportionally rather than leaving unclaimed funds in a settlement account. However, one limitation: if you file a claim for documented losses and the documentation is insufficient, you may not automatically receive the pro rata payment as a fallback. The settlement administrator will likely require choosing between documented loss claims and pro rata claims rather than accepting both. You should carefully review the claim form instructions and submit the strongest claim you can support with documentation.
What Regulatory Action Did the DFPI Take Against Patelco?
Beyond the class action settlement, California’s Department of Financial Protection and Innovation (DFPI) conducted its own investigation into Patelco’s cybersecurity practices and issued a formal enforcement action in February 2026. The DFPI found that Patelco’s cybersecurity systems and practices fell short of regulatory standards and issued a consent order requiring the credit union to implement comprehensive improvements. Patelco was also fined $100,000 by the DFPI for the cybersecurity violations—a substantial monetary penalty separate from the settlement class action payment. This fine reflects regulators’ view that Patelco’s breach was not merely an unfortunate incident of a well-protected organization falling victim to sophisticated attackers, but rather a failure of their cybersecurity posture that violated their obligations to protect member data. The consent order mandates specific improvements to Patelco’s security infrastructure and incident response procedures.
However, a caveat: regulatory consent orders are negotiated settlements themselves and often represent agreed-upon minimum standards rather than the most aggressive security measures possible. Some consumer advocates argue that many DFPI orders don’t go far enough in preventing future breaches, instead focusing on procedural changes like incident reporting and notification timelines. For Patelco members, this means the credit union is now under regulatory supervision regarding their cybersecurity, but you should not assume that a consent order eliminates all future risk. Credit unions and banks across the country face increasingly sophisticated attacks, and no organization can guarantee perfect security. This is why the settlement’s emphasis on coverage for identity theft expenses and credit monitoring is important—it acknowledges that data theft will continue to be a risk even at regulated institutions.
Filing Your Claim: Deadline and Process
The settlement claims deadline is June 11, 2026, which means if you are eligible, you must submit your claim by this date to receive compensation. Claims are filed through the official settlement website at patelcosettlement.com, which is the primary resource for submitting your claim, checking your eligibility status, and accessing the settlement claim form. When filing, you’ll need to verify your membership status (you’ll likely need account numbers or identifying information to confirm you were a Patelco member at the time of the breach) and decide whether to claim documented losses or accept a pro rata payment.
If claiming documented losses, gather all receipts and proof of payment for eligible expenses before starting your claim. The settlement administrator will review claims to verify reasonableness and prevent duplicate payments, so claiming inflated or false losses will likely result in rejection and could trigger fraud investigation. Once claims are received, the settlement administrator has 60–90 days to verify and process legitimate claims (timelines vary by settlement agreement terms). Payments typically follow 2–4 weeks after claim approval, though some settlements distribute funds in tranches if the total number of claims is unusually high.
Protecting Your Credit Union Account and Data After a Breach
The Patelco breach illustrates broader vulnerabilities in the financial services sector and what members should do to protect themselves. Even when a credit union is directly hacked, your funds are generally protected by NCUA insurance up to $250,000 per member per account type—meaning the financial loss from the breach itself is limited. However, identity theft from stolen SSNs and personal data is a separate and more persistent threat. Consider using a credit freeze to prevent fraudsters from opening accounts in your name, monitoring your credit reports regularly through the free annual reports at annualcreditreport.com, and watching for suspicious account opening attempts.
Many Patelco members have access to identity theft insurance through employers or homeowners policies, which can cover remediation costs not reimbursed by the settlement. One practical step: keep a copy of the settlement claim confirmation and the claim amount awarded in your records. If fraudsters later use your compromised information to open accounts, having documentation that you’re a Patelco breach victim can help explain sudden inquiries on your credit report and strengthen your case with creditors or credit bureaus when contesting fraudulent charges. The breach settlement is not the final chapter of your protection; it’s one tool among several that, combined with ongoing vigilance, can mitigate the ongoing risk of identity theft from this 2024 incident.
Conclusion
Patelco Credit Union’s $7.25 million settlement provides meaningful compensation to members affected by the May 2024 ransomware attack that exposed sensitive data for approximately 726,000 account holders. The settlement offers up to $5,000 for documented identity theft and fraud-related losses, or $100–$200 in pro rata payments for those without documented expenses.
The claim deadline of June 11, 2026 is now less than three months away, making this an urgent time to file if you were a Patelco member when the breach occurred. Regulatory enforcement from the California DFPI also resulted in a $100,000 fine and mandatory cybersecurity improvements, holding the institution accountable for its security failures. If you were affected by this breach, review your eligibility on the official settlement website at patelcosettlement.com, gather documentation of any losses you sustained, and file your claim before the June deadline to secure your compensation.