Your bank holds more sensitive information about you than almost any other institution: your full name, Social Security number, account numbers, transaction history, and sometimes even your employer and income. That’s exactly why banks have become one of the most targeted sectors in cybersecurity, and why a bank data breach carries consequences that go well beyond a changed password.
In recent years, nearly every major financial institution in the United States and many abroad have experienced breaches. Bank of America, TD Bank, Chase, Evolve Bank & Trust, Flagstar, US Bank, and dozens of others have disclosed incidents in which customer data was exposed, stolen, or leaked onto the dark web. Some breaches affected thousands of customers. Others impacted millions. And in many cases, customers weren’t notified until months after the fact.
If you’ve received a data breach notification from your bank, heard about an incident in the news, or simply want to know whether your financial information has been compromised, this guide covers everything. You’ll find a breakdown of every major bank data breach, what data was taken, what your legal rights are, and the exact steps you should take to protect yourself right now.
What Is a Bank Data Breach?
A bank data breach occurs when unauthorized individuals gain access to a financial institution’s systems and expose, or steal, confidential customer information. This can occur through an external cyberattack, a vulnerability in a third-party vendor, or even a failure within the organization. The result is the same: sensitive personal and financial data ends up somewhere it was never supposed to be.
Breaches vary widely in scale. Some involve a single misconfigured database exposing a few thousand records. Others, like the 2024 Evolve Bank & Trust breach, compromised the personal data of millions of customers across multiple financial platforms simultaneously. What they share is the potential for serious, lasting harm, identity theft, fraudulent transactions, and financial losses that can take years to resolve fully.
How Bank Data Breaches Happen
Most people imagine a lone hacker breaking through a bank’s firewall, but the reality is more complex, and often more preventable. The most common attack vectors in banking today include:
Third-party vendor vulnerabilities are responsible for a growing share of major breaches. Banks rely on hundreds of external software providers, payment processors, and data management firms. When one of those vendors is compromised, every institution connected to them is at risk. The 2023 MOVEit file transfer exploit is the clearest example; it exposed customer data across dozens of banks and financial institutions simultaneously, without any of those banks being directly attacked.
Ransomware attacks involve criminal groups infiltrating a bank’s network, encrypting critical systems, and threatening to publish stolen data unless a ransom is paid. The LockBit ransomware gang’s attack on Evolve Bank & Trust followed exactly this pattern, ultimately leading to the exposure of customer data from Evolve and several of its fintech partners.
Credential-based attacks, including phishing campaigns and credential stuffing, target bank employees or customers directly. Once valid login credentials are obtained, attackers can move through systems quietly, often going undetected for weeks or months.
Insider threats, while less common, do occur. Employees with access to customer databases have been responsible for deliberate data theft as well as accidental exposure through negligence or misconfiguration.
What Types of Data Banks Store, and What Gets Stolen
Banks are required to collect and retain extensive personal and financial information. In a breach, any of the following can be exposed:
- Full legal name, address, date of birth, and phone number
- Social Security numbers and government-issued ID information
- Account numbers, routing numbers, and card details
- Transaction history and account balances
- Login credentials and security question answers
- Employment information and income data (collected during loan or credit applications)
The combination of financial account data and identity information is particularly dangerous. Unlike a leaked email address or password, your Social Security number and account details can be used to open fraudulent credit lines, drain accounts, or commit tax fraud, often long after the original breach occurred.
How Banks Are Required to Notify Customers
In the United States, banks are regulated by federal law and must comply with specific notification requirements when a data breach occurs. Under guidelines from the Federal Financial Institutions Examination Council (FFIEC) and updated rules from banking regulators, including the OCC and FDIC, banks are generally required to notify affected customers within a reasonable timeframe, once a breach is confirmed, in many cases within 30 to 60 days.
In practice, the timeline between a breach occurring and customers being notified is often much longer. Investigations take time, and institutions are sometimes permitted to delay notification if law enforcement is involved. This is why customers frequently receive breach letters months after their data was actually compromised.
State laws add another layer. California, New York, and several other states impose stricter notification windows and broader definitions of what constitutes protected personal information. If your bank operates nationally, the most protective state law often sets the standard for how it communicates breaches to all customers.
The Biggest Bank Data Breaches of 2024–2025
The past two years have been among the most damaging on record for banking cybersecurity. A combination of ransomware attacks, third-party vendor exploits, and large-scale data theft operations exposed the personal and financial information of tens of millions of customers across the United States and beyond. Below is a detailed breakdown of the most significant incidents, what happened, what was taken, and where things stand today.
Bank of America Data Breach (2024–2025)
Bank of America’s most recent data breach stems from an attack on Infosys McCamish Systems (IMS), a third-party service provider that handles deferred compensation services for the bank. The breach, which Bank of America disclosed in early 2024, exposed the personal information of approximately 57,000 customers, including names, addresses, Social Security numbers, account numbers, and dates of birth.
This was not an isolated incident for the institution. Bank of America has dealt with multiple security events over the years, but the 2024 breach drew particular attention because the bank itself was not directly attacked; its vendor was. Affected customers were offered identity protection services, and the incident reinforced a broader industry concern about the risks posed by third-party data handlers. As of 2025, customers who received breach notification letters are still advised to closely monitor their credit reports and dark web exposure.
TD Bank Data Breach
TD Bank has faced serious scrutiny following a confirmed data breach that exposed sensitive customer information, including names, contact details, account numbers, and, in some cases, Social Security numbers. The breach affected a meaningful number of customers across TD Bank’s US operations, and the bank was required to notify impacted individuals directly.
What made the TD Bank data breach particularly notable was the sensitivity of the information involved. The exposure of Social Security numbers and financial account details together creates compounded identity theft risk, the kind that doesn’t resolve quickly. TD Bank subsequently offered identity protection services to affected customers, and a class action lawsuit was filed seeking compensation for those whose data was compromised. The case remains active, and 2025 updates suggest the litigation is progressing through the courts.
Evolve Bank & Trust, Data Breach
The Evolve Bank & Trust data breach is one of the most consequential banking security incidents in recent memory, and its impact extended far beyond Evolve Bank & Trust. In mid-2024, the LockBit ransomware group claimed responsibility for the attack on Evolve’s systems, ultimately publishing stolen data after the bank refused to pay the ransom.
What made this breach unusually damaging was Evolve’s position in the fintech ecosystem. Evolve operates as a Banking-as-a-Service (BaaS) provider, meaning it holds data on behalf of numerous fintech companies and their customers. Affirm, the buy-now-pay-later platform, confirmed that some of its customers’ data was exposed through the Evolve breach. Several other fintech partners were similarly affected.
The data exposed included names, Social Security numbers, bank account numbers, dates of birth, and contact information, a full identity profile for a significant number of individuals. A class action was filed, and the case, formally styled as In re Evolve Bank & Trust Customer Data Security Breach Litigation, is ongoing. If you were an Evolve customer or used a fintech service powered by Evolve, your data may have been part of this breach regardless of whether Evolve contacted you directly.
Western Alliance Bank Cybersecurity Breach
Western Alliance Bank disclosed a cybersecurity breach in early 2025 linked to a zero-day vulnerability in third-party file-transfer software. The breach exposed sensitive personal and financial information belonging to approximately 22,000 customers, including Social Security numbers, account details, tax identification numbers, and, in some cases, passport information.
The Western Alliance Bank breach followed a pattern seen across the industry: the bank’s core systems were not directly compromised, but a vendor tool used for secure file transfers was exploited. Western Alliance notified affected customers and offered credit monitoring services. Given the sensitivity of the data involved, regulators and cybersecurity researchers flagged this incident as a significant concern for the broader banking sector.
Chase Bank Data Breach
JPMorgan Chase, the largest bank in the United States by assets, has faced several data security incidents in recent years, though none on the scale of its 2014 breach, which affected 76 million households. More recent Chase Bank data breach reports involve smaller-scale incidents involving third-party vendors, employee data mishandling, and, in some cases, unauthorized access to customer account information.
Chase has been consistent in notifying affected customers when confirmed breaches occur and typically offers identity monitoring in response. As of 2025, no single catastrophic breach has been confirmed at Chase on the scale of earlier incidents, but customers who have received security notifications from the bank should treat those communications seriously and take the recommended protective steps.
US Bank Data Breach
US Bank has been linked to several data security incidents over the 2022–2025 period, primarily through third-party vendor compromises rather than direct attacks on US Bank’s own infrastructure. In some cases, these incidents involved unauthorized access to customer names, Social Security numbers, and account information held by service providers contracted by the bank.
US Bank’s 2025 breach notifications prompted renewed concern among customers, particularly those who had already received notices in prior years. If you have received multiple breach notifications from US Bank, it is worth running a dark web scan to assess the cumulative exposure of your personal information.
PNC Bank Data Breach
PNC Bank customers have been affected by data security incidents spanning 2024 through reported developments in 2026, largely through the same third-party vendor exposure patterns that have affected the broader industry. PNC breach reports have involved the potential exposure of names, Social Security numbers, and financial account details for a subset of customers.
PNC has communicated directly with affected customers and offered protective services in response to confirmed incidents. The 2026 reports suggest that continued vigilance is warranted and that customers who have not recently reviewed their credit reports or their dark web exposure should do so.
Truist Bank Data Breach
Truist Bank, formed from the merger of BB&T and SunTrust, confirmed a data breach in October 2023 after a threat actor posted what appeared to be stolen Truist customer data on an underground forum. The leaked data reportedly included bank account information, transaction records, and, in some cases, IVR (interactive voice response) source code used in customer service systems.
By 2025, Truist had faced additional scrutiny as cybersecurity researchers continued to analyze the scope of the exposure. The 2023 incident was particularly sensitive because transaction data, showing where customers spend money, how much, and how often, is not the kind of information that can simply be reset like a password. Truist customers are encouraged to review their account activity carefully and report any unauthorized transactions immediately.
Flagstar Bank Data Breach
Flagstar Bank holds the uncomfortable distinction of having experienced multiple confirmed data breaches in quick succession in 2021, 2022, and 2023, making it one of the most repeatedly breached financial institutions in recent US history.
The 2021 breach involved a vulnerability in Accellion’s file transfer software. The 2022 breach, which Flagstar disclosed mid-year, affected approximately 1.5 million customers and exposed Social Security numbers along with personal contact information. The 2023 breach was tied to the broader MOVEit vulnerability, adding Flagstar to the long list of institutions caught in that mass exploitation. Customers who have banked with Flagstar during any of these periods should assume their data has been exposed at least once and take appropriate protective action.
Ally Bank Data Breach
Ally Bank data breach reports have surfaced across 2022, 2024, and into 2025, though Ally, an entirely digital bank, has been relatively measured in its public disclosures. The incidents reported involve unauthorized access to customer account information, in some cases tied to credential-based attacks rather than infrastructure breaches.
Because Ally operates exclusively online, its customers are particularly vulnerable to account takeover fraud when login credentials are compromised. If you are an Ally Bank customer and have not recently updated your password or reviewed your account activity, this is worth doing immediately, especially if you use the same credentials across multiple services.
SitusAMC Data Breach, Impact on Major US Banks
The SitusAMC data breach is one of the more underreported incidents of 2024, despite its broad impact across the US banking sector. SitusAMC is a real estate and financial services firm that processes mortgage and loan data on behalf of numerous major financial institutions. When SitusAMC confirmed a data breach, it simultaneously confirmed exposure for customers of multiple banks whose loan and mortgage records were held by the firm.
The breach exposed names, Social Security numbers, financial account details, and property-related information for an undisclosed number of individuals. Because SitusAMC operates behind the scenes, customers often have no idea their bank uses them; many affected individuals may never have received a direct notification. If you have a mortgage or loan serviced through a major US bank, your data may have passed through SitusAMC’s systems at some point, making a dark web check particularly worthwhile.
Complete Timeline of US Bank Data Breaches (2020–2025)
To understand the scale of the problem, it helps to see it laid out chronologically. What the last five years make clear is that bank data breaches are not isolated incidents; they are a persistent, escalating pattern driven by increasingly sophisticated attackers, an over-reliance on vulnerable third-party vendors, and the sheer volume of sensitive data that financial institutions hold. Here is a year-by-year breakdown of the most significant banking data breaches in the United States since 2020.
2020–2021: The Foundation of a Growing Crisis
The 2020–2021 period set the tone for what was to come. While large-scale consumer-facing breaches were somewhat less common than in later years, the groundwork for many future incidents was being laid through vendor vulnerabilities and increasingly bold ransomware operations targeting financial infrastructure.
In 2020, American Bank Systems, a technology provider serving community banks across the US, suffered a ransomware attack that exposed customer data from dozens of smaller institutions simultaneously. This was an early and clear signal that attacking a single vendor could compromise multiple banks at once, a playbook that threat actors would refine and repeat throughout the following years.
The 2021 Accellion file transfer breach was one of the most consequential events of the period. Accellion’s legacy File Transfer Appliance (FTA) software contained critical vulnerabilities that attackers exploited to steal data from dozens of organizations, including Flagstar Bank, whose customers had their Social Security numbers and personal information exposed as a direct result. It was one of the first high-profile demonstrations of how a software vulnerability in a tool most customers had never heard of could compromise their banking data entirely.
Also in 2021, reports of credential-based account takeovers at several online and digital banking platforms increased sharply, a trend tied to the massive volume of stolen credentials circulating on dark web marketplaces following breaches in other industries.
2022: Flagstar, US Bank, and the Rise of Repeat Breaches
2022 marked a turning point in banking cybersecurity, with several institutions experiencing their second or third breach within a short window, a sign that initial responses were not fully closing the underlying vulnerabilities.
Flagstar Bank disclosed its second major breach of the year in August 2022, this time affecting approximately 1.5 million customers. The exposed data included Social Security numbers, names, and contact details, sensitive enough to enable identity theft at scale. It was a damaging disclosure for an institution that had already dealt with the 2021 Accellion fallout.
US Bank customers were affected by multiple third-party incidents in 2022, including unauthorized access to customer information resulting from vendor-side compromises. Citizens Bank, Ally Bank, and several regional institutions also reported security events during this period, though disclosures varied widely in specificity.
The broader pattern in 2022 was one of third-party exposure compounding direct breach risk. Banks were simultaneously hardening their own perimeters while remaining exposed through the dozens of vendors, processors, and service providers connected to their systems. For customers, the practical implication was that their data could be stolen without their bank ever being directly attacked.
2023: MOVEit Changes Everything
If there is a single year that redefined the scale of banking data breaches, it is 2023, and the reason is MOVEit.
In May and June of 2023, a threat actor known as Cl0p exploited a zero-day vulnerability in MOVEit Transfer, a widely used managed file transfer software. The attack was not targeted at any single organization; it was a mass exploitation event that swept up hundreds of companies across industries, with financial institutions representing a significant portion of the victims.
Among the banks and financial service providers confirmed as MOVEit breach victims were Flagstar Bank (its third major breach in three years), First National Bank of Pennsylvania, and numerous mortgage servicers and loan processors whose customer data flowed through MOVEit-connected systems. The breach exposed names, Social Security numbers, account information, and in some cases detailed financial records for millions of individuals across the US.
Outside of MOVEit, 2023 brought several other notable incidents. Truist Bank confirmed in October 2023 that customer data, including transaction records and account information, had been posted on an underground forum by a threat actor. Umpqua Bank customers received breach notifications tied to the MOVEit event. First Merchants Bank, Peapack-Gladstone Bank, and several other regional institutions disclosed security incidents affecting customer data during the same period.
By the end of 2023, the picture was stark: millions of Americans had their banking data exposed, many through breaches at companies they had never directly interacted with.
2024: Ransomware, Fintech Chains, and Mass Vendor Exploits
2024 brought a new level of sophistication to banking sector attacks, with threat actors demonstrating a clear strategic preference for targeting institutions at the center of interconnected financial ecosystems, where a single successful breach could cascade across dozens of downstream partners and customers.
The Evolve Bank & Trust breach, carried out by the LockBit ransomware group in mid-2024, was the defining incident of the year. By compromising Evolve’s Banking-as-a-Service infrastructure, LockBit gained access to data not just from Evolve’s direct customers but also from the customers of multiple fintech companies, including Affirm, that relied on Evolve’s platform. The breach exposed Social Security numbers, account details, and personal information for a substantial number of individuals, triggering class action litigation that remains active.
TD Bank confirmed a data breach in 2024 that exposed sensitive customer information including Social Security numbers and financial account details, resulting in direct customer notifications and the filing of a class action lawsuit. Western Alliance Bank disclosed its own breach, linked to a zero-day in file-transfer software, affecting approximately 22,000 customers and exposing particularly sensitive data, including passport information and tax identification numbers.
The SitusAMC breach also surfaced in 2024, quietly exposing mortgage and loan data for customers of multiple major US banks who had no direct relationship with SitusAMC and, in many cases, received no notification.
Bank of America’s Infosys McCamish breach notification, while tied to a 2023 attack, resulted in widespread customer disclosure throughout early 2024, adding roughly 57,000 affected individuals to the year’s running total.
2025: Continued Escalation and Emerging Threats
The 2025 banking breach landscape has continued the trajectory established in prior years, with several institutions issuing new or updated breach notifications and class action activity intensifying across multiple ongoing cases.
PNC Bank, US Bank, and TD Bank have all been associated with new breach reports or updated disclosures in 2025, with customers receiving notifications related to both new incidents and the ongoing fallout from prior compromises. FinWise Bank disclosed a breach in September 2025 affecting customer data. First National Bank of Pennsylvania issued updated notifications in 2025 related to ongoing investigation findings.
The broader pattern in 2025 reflects a data breach environment in which the lag between an initial compromise and full customer notification can span calendar years, meaning incidents that originated in 2023 or 2024 are still producing new disclosures today. Customers who have not received a breach notification are not necessarily in the clear. Dark web monitoring data suggests that banking credentials and personal financial records continue to circulate and be traded long after the original breach event, making ongoing vigilance essential regardless of whether a formal notification has arrived.
What Gets Stolen in a Bank Data Breach?
Not all data breaches are equal. A breach that exposes email addresses is concerning. A breach that exposes your full financial profile is a problem of a different category entirely. Banks hold a uniquely dense concentration of personal information, the kind that, when stolen, can be weaponized in multiple ways across multiple years. Understanding exactly what gets taken helps explain why banking data breaches carry consequences that outlast the incident itself.
Social Security Numbers and Government IDs
Of everything a bank stores, Social Security numbers are the most damaging data point to lose. Unlike a password, you cannot change your SSN. Once it is in the hands of a threat actor, it becomes a permanent tool for identity theft, used to open fraudulent credit accounts, file false tax returns, claim benefits in your name, or sell as part of a complete identity package on dark web marketplaces.
Most banks collect Social Security numbers during account opening, loan applications, and identity verification processes. Government-issued ID details, passport numbers, driver’s license numbers, and state ID information are frequently collected alongside SSNs for the same purposes and pose similar risks if exposed. Several recent breaches, including the Western Alliance Bank incident, confirmed that passport numbers were among the data points stolen, an exposure that creates fraud risk well beyond the banking context.
Account Numbers and Routing Numbers
Your bank account number and routing number together are essentially the keys to your account for anyone who knows how to use them. With these two pieces of information, fraudsters can initiate unauthorized ACH transfers, set up fraudulent direct deposits, create counterfeit checks, or drain funds through payment platforms that rely on bank account verification.
What makes this particularly serious is that account and routing numbers cannot be reset easily. Changing them requires closing your existing account and opening a new one, a disruptive process that many customers delay, leaving themselves exposed in the interim. Breaches at institutions like Evolve Bank & Trust and Flagstar Bank exposed account numbers for large numbers of customers, and the financial fraud that follows such exposures can take months to unwind fully.
Login Credentials and Passwords
Online banking credentials, usernames, passwords, and in some cases security question answers, are a primary target in breaches that involve customer-facing banking portals. Once obtained, these credentials allow attackers to log in directly to accounts, transfer funds, change contact information to lock out the legitimate account holder, or use the access to gather additional personal data.
Even when a bank’s own systems are not breached, customers face credential exposure through data breaches in other industries. If someone uses the same email and password for their bank account that they use for a breached retail or social media platform, their banking access is effectively compromised. This is why credential stuffing, the automated testing of stolen login pairs against banking sites, has become one of the most common attack methods targeting digital banks like Ally.
Credit and Debit Card Data
Credit and debit card information stolen in banking breaches typically includes card numbers, expiration dates, and CVV codes, enough to make fraudulent online purchases or sell on criminal marketplaces as “fullz” (complete card records). In some cases, magnetic stripe data is also obtained, enabling the creation of cloned physical cards.
Card data is, in some respects, the most recoverable category of stolen banking information. Banks can cancel and reissue cards relatively quickly, and unauthorized transactions are generally covered under federal consumer protection rules. However, the inconvenience of card fraud, disputing transactions, updating automatic payments, and waiting for replacement cards should not be underestimated, particularly for customers affected by large-scale breaches where reissuance timelines stretch across weeks.
Transaction History and Bank Statements
Transaction data is among the most underappreciated categories of stolen banking information. On the surface, knowing where someone shops or how much they spend seems less harmful than having their SSN. In practice, detailed transaction history is extraordinarily useful to fraudsters and social engineers alike.
Transaction records reveal your income level, spending patterns, recurring bills, insurance providers, medical expenditures, and even physical location patterns based on where purchases are made. This information enables highly targeted phishing attacks, and criminals can craft convincing messages that reference real transactions, making it far easier to deceive victims into revealing additional credentials or authorizing fraudulent transfers. The Truist Bank breach, which exposed transaction records alongside account information, was flagged by security researchers specifically because of how exploitable that combination is.
Personal Contact and Address Information
Every bank collects names, phone numbers, email addresses, and physical addresses as a baseline for account management and regulatory compliance. While this category of data is less immediately dangerous than SSNs or account numbers, it is the connective tissue that makes other stolen data far more effective.
A fraudster with your name, address, phone number, and bank name has everything needed to impersonate you in a customer service call, a tactic known as vishing (voice phishing), or to intercept physical mail, including replacement cards, account statements, and identity verification letters. Personal contact data also enables highly targeted spam, SIM-swapping attacks, and account recovery fraud. In virtually every major bank data breach, personal contact information is among the confirmed data points exposed, making it the quiet enabler of nearly every downstream fraud scheme.
I Got a Bank Data Breach Notice. What Should I Do?
Receiving a data breach notification letter from your bank is unsettling, but the window immediately after receiving one is also when your response matters most. Acting quickly and methodically can significantly limit the damage. The steps below are ordered by urgency; work through them in sequence rather than jumping straight to the ones that feel most familiar.
Step 1: Verify the Breach Is Real (Not a Phishing Scam)
Before doing anything else, confirm that the notification you received is legitimate. This is not paranoia; it is a necessary first step because fraudsters routinely send fake breach notification emails designed to panic recipients into clicking malicious links or handing over account credentials.
If you received the notice by email, do not click any links in the message. Instead, go directly to your bank’s official website by typing the URL into your browser, logging in to your account, and checking for any official announcements or alerts. Call the number on the back of your bank card, not any number listed in the email, and ask a representative to confirm whether a breach has occurred and whether your account was affected. If the notice arrived by post on official bank letterhead, it is considerably more likely to be genuine. Still, the same verification step is worth taking before acting on any specific instructions it contains.
Step 2: Identify Exactly What Data Was Compromised
Once you have confirmed the breach is real, read the notification carefully to understand precisely what category of information was exposed. This matters because the appropriate response depends entirely on what was taken.
A breach involving only your name and email address requires a different level of response than one that exposed your Social Security number, account numbers, or transaction history. The notification letter is legally required to specify which types of data were compromised. If it is vague, call your bank directly and ask for clarification. Make a written note of the confirmed exposed data types. This information will be relevant if you need to place a credit freeze, file a complaint, or pursue compensation later.
Step 3: Place a Fraud Alert or Credit Freeze
If your Social Security number, account numbers, or government ID information were among the exposed data, placing a fraud alert or credit freeze should be your immediate next action.
A fraud alert notifies lenders to take extra steps to verify your identity before opening new credit in your name. It is free, lasts one year, and only needs to be placed with one of the three major credit bureaus, Equifax, Experian, or TransUnion, as they are required to notify the others. A credit freeze goes further, completely restricting access to your credit file so that new accounts cannot be opened in your name at all. It is also free, does not affect your existing credit, and can be lifted temporarily whenever you need to apply for credit yourself. For anyone whose SSN has been exposed in a bank data breach, a credit freeze is the stronger and recommended option.
Step 4: Monitor Your Dark Web Exposure
A bank data breach notification tells you what your bank knows was exposed. It does not tell you where that data has ended up. Stolen banking records are frequently sold or traded on dark web marketplaces, sometimes within hours of a breach, and the data can remain in active circulation for years afterward.
Running a dark web scan gives you a clearer picture of your actual exposure. DeXpose’s free dark web report allows you to check whether your personal or financial information has appeared in known breach databases and dark web sources, giving you visibility beyond what your bank’s notification letter can provide. For ongoing protection, dark web monitoring tracks new appearances of your data in real time, an important layer of defense given how slowly breached data sometimes surfaces after the original incident.
Step 5: Change Credentials and Enable MFA
If your online banking login credentials were among the compromised data, or even if you are not certain, change your banking password immediately. Choose something unique to that account, not a variation of a password used elsewhere. If you use the same password across multiple services, this is the moment to address that across all of them, starting with financial accounts.
Enable multi-factor authentication (MFA) on your banking account if you have not already done so. MFA requires a second form of verification, typically a code sent to your phone or generated by an authenticator app, in addition to your password. This means that even if your credentials are stolen, an attacker cannot access your account without also controlling your second factor. Most major banks now offer MFA; if yours does not, that is worth raising directly with them. Also, review any saved payment methods, automatic transfers, or linked external accounts and verify that none have been altered.
Step 6: Document Everything for Potential Claims
The final step is one many people overlook in the immediate stress of responding to a breach. Still, it becomes important if you later decide to pursue compensation or join a class action lawsuit.
Keep a copy of the breach notification letter or email. Record the date you received it and the specific data types listed as compromised. If you experience any financial fraud, unauthorized account activity, or identity theft that you believe is connected to the breach, document each incident in detail, including dates, amounts, institutions involved, and any reference numbers from fraud reports. File a report with the FTC at IdentityTheft.gov if you experience identity theft. This documentation serves as the evidentiary foundation for any future claim, whether that is a direct complaint to your bank, a regulatory complaint, or participation in class action litigation currently active against TD Bank, Evolve Bank & Trust, and others.
Can You Sue Your Bank for a Data Breach?
The short answer is yes, you can sue your bank for a data breach, and many people do. The longer answer involves understanding the legal grounds, what realistic outcomes look like, and whether an individual claim or a class action is the more appropriate path for your situation. This section explains the legal landscape clearly, without overstating what compensation is likely or understating the rights you genuinely have.
Your Legal Rights After a Bank Data Breach
Banks operating in the United States are subject to a range of federal and state laws that impose data security obligations and, when those obligations are not met, create legal exposure for the institution. The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to implement safeguards to protect customer data. The FTC Safeguards Rule, updated in 2023, sets specific security requirements for how financial institutions must handle personal information. State consumer protection laws and data breach notification statutes add further layers of accountability.
When a bank fails to meet these standards by neglecting known vulnerabilities, failing to adequately vet third-party vendors, or delaying breach notification beyond legal requirements, affected customers may have grounds for legal action. The key legal theories used in bank data breach lawsuits typically include negligence (the bank failed in its duty to protect your data), breach of contract (the bank’s privacy policy or terms of service constituted a contractual commitment it did not honor), and, in some cases, breach of fiduciary duty where a special relationship of trust can be established.
It is worth noting that successfully suing a bank for breach of privacy or data mishandling requires demonstrating actual or likely harm. Courts have historically been inconsistent on whether the mere exposure of data, without documented fraud or identity theft, is sufficient to establish standing. This is one of the reasons class actions have become the dominant legal vehicle for bank data breach claims.
Class Action Lawsuits vs. Individual Claims
For most people affected by a bank data breach, a class action lawsuit is the more practical path than an individual claim. Here is the practical distinction.
An individual lawsuit against a bank requires you to retain your own attorney, bear the costs of litigation, and demonstrate specific harm that is directly attributable to the breach. Given that legal fees in complex financial cases can run into tens of thousands of dollars, individual claims only make economic sense when the damages are substantial and clearly documented, significant financial losses, extensive identity theft remediation costs, or other quantifiable harm directly tied to the breach.
A class action consolidates the claims of many affected individuals into a single lawsuit. Plaintiffs share legal representation, costs are borne by the law firm on a contingency basis, and the burden of proving systemic negligence falls collectively rather than on any one individual. The trade-off is that individual payouts in class-action settlements tend to be modest, often ranging from tens to a few hundred dollars per claimant. However, class actions serve an important function in holding institutions accountable and forcing operational changes that benefit all customers.
If you have suffered significant, documented financial harm as a direct result of a bank data breach, speaking with an attorney about an individual claim is worth pursuing. If your situation involves data exposure without major direct financial loss, joining a relevant class action is typically the more realistic avenue.
Bank of America, TD Bank, and Evolve Class Action Status
Several major class action lawsuits stemming from recent bank data breaches are currently active, and affected customers may be eligible to participate.
The Evolve Bank & Trust class action, formally styled as In re Evolve Bank & Trust Customer Data Security Breach Litigation, is among the most significant active cases. Filed in response to the 2024 LockBit ransomware breach, the lawsuit alleges that Evolve failed to implement adequate security measures and delayed notification to affected customers. Given the breadth of the breach across Evolve’s fintech partner network, the potential class is large. It includes individuals who may not have been direct Evolve customers but whose data was held by connected platforms such as Affirm.
The TD Bank data breach class action was filed after TD Bank confirmed that sensitive customer information, including Social Security numbers and financial account details, was compromised. The lawsuit alleges negligence and inadequate data security practices and is progressing through the courts as of 2025.
Bank of America has faced class action litigation related to the Infosys McCamish breach, with plaintiffs arguing that Bank of America is responsible for the exposure of customer data through a vendor it selected and contracted with. The bank’s decision to use IMS as a service provider, and the adequacy of the due diligence applied to that relationship, are central to the legal arguments.
If you received a breach notification from any of these institutions, checking with a data breach attorney about your eligibility to join the relevant class action costs nothing and takes very little time.
How Data Breach Compensation Works
Compensation in bank data breach cases, whether through class action settlements or individual claims, generally covers several categories of harm. Understanding these categories helps set realistic expectations.
Out-of-pocket losses are the most straightforward: fraudulent charges, costs of credit monitoring services you purchased, fees paid to resolve identity theft, and time spent dealing with the fallout of the breach, calculated at a reasonable hourly rate. These are the easiest damages to document and recover.
Beyond direct losses, many settlements include a fund for claimants who can demonstrate that the breach caused them to spend time dealing with fraud or identity theft issues, even in the absence of specific dollar losses. Emotional distress and reputational harm are argued in some cases, but are harder to quantify and less reliably compensated.
In class action settlements, affected individuals are typically notified by mail or email with instructions for submitting a claim. Missing the claims deadline results in forfeiting your share of the settlement while still being bound by its terms, so if you receive a class action notice, responding to it matters even if the individual payout seems small.
Regulatory fines and enforcement actions, such as the £16.4 million fine levied against Tesco Bank by the FCA, do not directly compensate customers but do demonstrate that financial regulators are increasingly willing to hold banks financially accountable for preventable security failures.
What to Do If You Want to File a Claim
If you want to pursue compensation following a bank data breach, the process begins with documentation. Gather your breach notification letter, any records of fraudulent activity or identity theft you have experienced, correspondence with your bank, and any receipts for costs you have incurred as a result of the breach. The stronger and more organized your documentation, the more useful it will be to an attorney evaluating your claim.
From there, search for active class action lawsuits related to your specific bank and breach event. Reputable class action databases and legal news sources publish updates on active cases, and many plaintiff law firms handling bank data breach litigation offer free consultations. If an active class action exists and you fall within the affected class, your attorney can advise on whether joining it or pursuing a separate individual claim better serves your interests based on the specifics of your situation.
You can also file a complaint with the Consumer Financial Protection Bureau (CFPB) or your state attorney general’s office, regardless of whether you pursue private litigation. Regulatory complaints do not directly compensate you, but they create an official record, contribute to enforcement actions, and cost nothing to file.
How Banks Are Targeted, Attack Vectors Explained
Understanding how bank data breaches happen is not just useful background knowledge; it directly informs how you protect yourself and what warning signs to watch for. Banks invest heavily in cybersecurity, yet breaches continue to occur at scale. The reason is not that banks are careless. The attack surface of a modern financial institution is enormous, spanning internal systems, dozens of third-party vendors, millions of customer endpoints, and thousands of employees. Attackers do not need to find the strongest point in that perimeter. They only need to find the weakest one.
Third-Party Vendor Breaches (MOVEit, SitusAMC, and Beyond)
The single most consequential shift in banking cybersecurity over the past five years has been the systematic exploitation of third-party vendors. Banks do not operate in isolation; they rely on hundreds of external software providers, data processors, file transfer services, mortgage servicers, and technology partners. Every one of those relationships represents a potential entry point.
The MOVEit exploitation of 2023 is the clearest illustration of how damaging this can be. A single zero-day vulnerability in a file transfer tool used across industries allowed the Cl0p ransomware group to extract data from hundreds of organizations simultaneously, including Flagstar Bank, First National Bank of Pennsylvania, and numerous financial service providers, without ever directly attacking the banks themselves. The banks were breached through software they did not build, could not fully control, and in many cases did not know had been compromised until weeks after the fact.
SitusAMC followed the same pattern in 2024. As a mortgage and loan data processor serving multiple major US banks, SitusAMC held customer records on behalf of institutions whose customers had no idea a third party was processing their data. When SitusAMC was breached, customers’ information was exposed through a relationship they never entered into directly. This is now the dominant breach model in banking, not a frontal assault on a bank’s core systems, but a quieter compromise of the vendors surrounding it.
Ransomware Attacks on Banking Infrastructure
Ransomware remains one of the most disruptive and financially damaging threats facing financial institutions. In a ransomware attack, criminal groups infiltrate a bank’s network, move laterally through its systems to maximize their access, encrypt critical infrastructure to render it inoperable, and then demand payment, typically in cryptocurrency, in exchange for a decryption key. Increasingly, they also steal data before encrypting it and threaten to publish it publicly if the ransom is not paid, a tactic known as double extortion.
The Evolve Bank & Trust breach executed by LockBit in 2024 is the defining recent example. LockBit gained access to Evolve’s systems, exfiltrated customer data across Evolve’s entire Banking-as-a-Service network, and ultimately published that data after Evolve declined to pay. The consequences extended to every fintech company and customer connected to Evolve’s platform, a cascading damage model that illustrates why ransomware groups specifically target institutions at the center of interconnected financial ecosystems.
What makes ransomware particularly difficult to defend against is the combination of speed and stealth. Sophisticated groups can spend weeks inside a network before triggering the visible attack, quietly mapping systems and stealing data while the institution remains unaware. By the time the encryption hits and the ransom note appears, the data exfiltration is already complete.
Credential Stuffing and Account Takeover
Not every bank data breach involves breaking through sophisticated infrastructure. A significant and growing category of banking security breaches relies on credentials that were already stolen elsewhere.
Credential stuffing is the automated process of taking large lists of username and password combinations, sourced from breaches at retailers, social media platforms, or other non-financial services, and systematically testing them against banking login portals. Because a significant number of people reuse passwords across multiple accounts, a significant number of those attempts succeed. Once inside, attackers can drain account balances, change contact information to lock out the legitimate account holder, set up unauthorized transfers, or harvest additional personal data for use in further fraud.
Digital-first banks are particularly exposed to this attack vector. Ally Bank, Chime, and similar online-only institutions have no physical branch layer between a customer and their account; everything runs through digital credentials. A successful credential stuffing attack against an Ally Bank customer, for example, gives an attacker complete account access with no physical friction to overcome. Enabling multi-factor authentication dramatically reduces this risk, but adoption among banking customers remains lower than it should.
Insider Threats and Employee Data Theft
External attackers generate more headlines, but insider threats, employees or contractors who misuse their access to customer data, are a consistent and underreported source of banking data breaches. The risk comes in two forms: deliberate theft by a malicious insider and accidental exposure due to negligence or policy violations.
Deliberate insider theft typically involves employees with database access exfiltrating customer records, including names, Social Security numbers, and account details, for personal financial gain or to sell to third parties. Cases of this type have occurred at banks of all sizes, and they are particularly difficult to detect because the access itself is legitimate. It is the intent and destination of the data that is unauthorized, not the initial access.
Accidental exposure is more common and equally damaging. Misconfigurations, data sent to the wrong recipients, improperly secured internal databases, and failure to follow data-handling protocols all create breach conditions without malicious intent. The Commonwealth Bank incident involving lost data tapes is an extreme example. Still, everyday errors, such as an employee emailing a customer file to the wrong address, a database left without proper access controls, produce similar outcomes on a smaller scale with regularity.
Supply Chain Attacks Affecting Multiple Banks
Supply chain attacks represent the most strategically sophisticated threat vector in modern banking cybersecurity, and they are becoming more common as attackers recognize the leverage that comes from compromising a single point that connects many institutions simultaneously.
The distinction between a supply chain attack and a straightforward vendor breach lies in intent and design. In a supply chain attack, the vendor or software provider is not just an incidental path to a target; it is the deliberate target, chosen specifically because of how many downstream institutions depend on it. By compromising the software itself, the build process, or the update mechanism, attackers can distribute malicious code or gain persistent access across every organization that uses the product.
In banking, this means that a security compromise upstream in the financial technology stack can simultaneously affect community banks, regional banks, and national institutions that share no direct relationship but all rely on the same underlying infrastructure. The Marquis data breach affecting 80 banks, and the broader pattern of simultaneous multi-bank exposure seen through MOVEit and similar events, reflects exactly this dynamic. For banks, the implication is that vendor security assessments and software supply chain audits are no longer optional components of a cybersecurity program; they are foundational requirements. For customers, it means that a bank’s own security posture, however strong, offers only partial protection against the risks that exist in the ecosystem around it.
How to Check If Your Bank Account Data Is on the Dark Web
Receiving a breach notification from your bank tells you that something went wrong. It does not tell you what happened to your data after it left. In most cases, stolen banking records do not simply disappear; they are packaged, sold, and traded on dark web marketplaces where criminal buyers use them for fraud, identity theft, and account takeover. The gap between what your bank discloses and what is actually circulating in those markets is where the real risk lives, and it is a gap that most people never think to check.
What Dark Web Breach Databases Contain
Dark web breach databases are repositories of stolen data compiled from cyberattacks across industries, not just the banking sector. They are maintained and traded on private forums, criminal marketplaces, and Telegram channels, largely invisible to ordinary internet users. When a bank data breach occurs, and the stolen records are sold or published, those records typically end up indexed within these databases relatively quickly, sometimes within days of the original theft.
What those databases actually contain depends on what was stolen. Still, in the context of banking breaches, they commonly hold full names paired with Social Security numbers, account numbers, and routing details, login credentials including email and password combinations, credit and debit card data with associated billing addresses, and in some cases, complete identity profiles, combinations of financial, personal, and government ID information assembled from multiple breach sources into a single exploitable record. The value of this data to criminals is compounded when records from different breaches are cross-referenced, allowing a buyer to build a more complete picture of a target than any single breach alone would provide.
How to Run a Free Dark Web Scan for Your Banking Data
The most direct way to find out whether your information has appeared in dark web breach databases is to run a dark web scan against your email address and personal details. DeXpose offers a free dark web report that checks your information against known breach data sources, giving you immediate visibility into whether your email, credentials, or personal details have been exposed, including through banking-related breaches.
For email-specific exposure, DeXpose’s free email data breach scan at dexpose.io/email-data-breach-scan/ checks your email address against breach databases to identify which incidents have compromised it and what data categories were involved. Since email addresses are almost universally collected by banks and used as the primary login identifier for online banking, this scan provides a meaningful first indicator of your risk of exposure to your banking data.
Running these scans takes under a minute and costs nothing. If results show your information has appeared in known breaches, that visibility gives you the basis for taking targeted protective action rather than responding unthinkingly to a general notification.
Signs Your Bank Account Information Has Been Stolen
Sometimes dark web evidence arrives before the scan, in the form of activity on your accounts or credit profile that shouldn’t be there. The warning signs that your banking data has been stolen and is being actively used include transactions you do not recognize appearing on your bank statements, new credit accounts or loan inquiries appearing on your credit report that you did not initiate, bills or collection notices arriving for accounts you never opened, and notifications from your bank about password changes, new device logins, or contact information updates that you did not make.
More subtle signals include calls or emails from debt collectors about debts you do not recognize, credit rejections despite a history of good standing, and unexplained changes to your tax filing status or benefit accounts, all indicators of identity theft that often originate from stolen banking data. If you are seeing any of these signs, the exposure has already moved beyond the dark web into active fraud, and the priority shifts from monitoring to immediate containment and reporting.
Setting Up Ongoing Dark Web Monitoring for Financial Accounts
A one-time scan tells you where your data stands today. It cannot tell you what happens tomorrow. Stolen banking data surfaces in new places continuously, records from a 2023 breach may not appear in an active marketplace until 2025, and freshly stolen data from recent incidents enters circulation on an ongoing basis. This is why one-time checks, while useful, are not a complete solution.
Ongoing dark web monitoring watches for new appearances of your personal and financial information across dark web sources in real time, alerting you when your data surfaces so you can respond before fraud occurs rather than after. DeXpose’s dark web monitoring service at dexpose.io/darkweb-breaches-monitoring/ provides continuous surveillance of your exposed data across breach databases, dark web forums, and criminal marketplaces, giving you the kind of persistent visibility that a bank’s one-time notification letter never can.
For anyone whose information has been confirmed in a banking breach, or who banks with any institution that has experienced a breach in recent years, which at this point covers most major US financial institutions, ongoing monitoring is not a premium add-on. It is the baseline level of protection that the current threat environment demands.
How to Protect Your Banking Data From Future Breaches
You cannot control whether your bank gets breached. What you can control is how much damage a breach does to you personally. The gap between someone whose banking data is stolen and walks away unscathed and someone who spends months untangling fraud and identity theft is almost always explained by the protective measures they had, or did not have, in place before the incident occurred. None of what follows requires technical expertise. It requires consistency.
Strong Password Hygiene for Banking Accounts
The most common entry point into a personal bank account is not a sophisticated cyberattack; it is a reused password exposed in a breach somewhere else entirely. Credential stuffing works at scale precisely because password reuse is so widespread. If your banking login shares a password with your email, a shopping account, or any other service that has ever been breached, your banking credentials are effectively compromised regardless of what your bank does to protect its own systems.
Every financial account should have a unique, long password that resists brute-force attacks and is not based on personal information like birthdays, names, or addresses, which are often exposed in data breaches. A password manager removes the burden of remembering unique credentials across accounts and eliminates the practical excuse for reuse. Treating your banking password as categorically different from passwords you use elsewhere, never recycled, never shared, and changed immediately if any related service is breached, is the single highest-impact habit change most people can make for their banking security.
Two-Factor Authentication: What Banks Support It
A strong password protects your account until your credentials are stolen. Two-factor authentication (2FA) protects it even after that happens. By requiring a second form of verification, a code sent to your phone, generated by an authenticator app, or confirmed through biometric authentication, 2FA means that stolen credentials alone are not sufficient to access your account. An attacker would need to control your second factor as well, which is a substantially higher bar.
Most major US banks now offer some form of two-factor authentication, though the implementation varies. Bank of America, Chase, Wells Fargo, Citibank, and TD Bank all support 2FA through SMS codes or authenticator apps. If your bank offers an authenticator app option rather than SMS, that is the stronger choice. SMS-based codes are vulnerable to SIM-swapping attacks, where a criminal convinces your mobile carrier to transfer your number to their device. Enabling 2FA in your account settings takes a few minutes and is one of the most effective single steps you can take to prevent account takeover following a bank data breach.
Monitoring Your Credit and Bank Statements
Proactive monitoring is what transforms a potential fraud event into a caught fraud event. Most financial damage from banking data breaches is not instantaneous; stolen data is often held, sold, and used weeks or months after the original theft. Regular monitoring of your bank statements and credit report creates the earliest possible detection window.
Review your bank account transactions at least weekly rather than waiting for monthly statements. Fraudulent activity caught within days is dramatically easier to reverse than activity discovered after weeks of accumulation. For credit monitoring, each of the three major bureaus, Equifax, Experian, and TransUnion, is required to provide a free annual credit report, accessible at AnnualCreditReport.com. Staggering your requests across the three bureaus every four months gives you near-continuous coverage throughout the year at no cost. Any account, inquiry, or address you do not recognize warrants immediate follow-up.
Using Virtual Account Numbers and Card Masking
Virtual account numbers and card masking are among the most underutilized tools available to banking customers, yet they are genuinely effective at limiting fraud exposure. A virtual account number is a temporary, randomly generated card number tied to your real account that can be used for online purchases. If that virtual number is stolen in a retailer breach or compromised in any transaction, the exposure is contained, your actual account number remains untouched, and the virtual number can simply be cancelled.
Several major banks and financial services offer virtual card numbers. Citi’s virtual account number tool, Capital One’s Eno, and Privacy.com are all functional options for accounts at banks that do not offer native virtual cards. For anyone who shops online regularly, which is effectively everyone, using virtual numbers for those transactions removes a significant category of card data breach risk entirely. The underlying account is never exposed, so there is nothing to steal from the transaction itself.
What to Expect From Bank Breach Monitoring Services
Many banks offer identity or credit monitoring services to customers following a confirmed breach, typically through partnerships with providers like Experian IdentityWorks or Equifax Complete. These services are worth enrolling in when offered at no cost; they provide credit monitoring, some level of dark web scanning, and, in some cases, identity theft insurance and restoration assistance.
However, bank-provided monitoring services have meaningful limitations that customers should understand. They are generally reactive, offered after a breach has already occurred, and their dark web scanning capabilities vary considerably in depth and frequency. Many cover only a narrow set of data points, typically your email address and Social Security number, without extending to the full range of financial and personal information that banking breaches commonly expose.
For comprehensive protection, dedicated dark web monitoring goes further than what most bank-provided services deliver. DeXpose monitors continuously across breach databases, dark web forums, and criminal marketplaces for your personal and financial information, providing the depth of coverage and real-time alerting that distinguish genuine ongoing protection from a checkbox response to a breach notification. If you have already enrolled in a bank-provided service, layering dedicated dark web monitoring on top of it closes the gaps that institution-provided coverage typically leaves open.
Conclusion
Bank data breaches are no longer rare events; they are a persistent feature of the financial landscape, affecting institutions of every size and customers who have done nothing wrong. The threat is not going away, and the next breach is a matter of when, not if.
What you can control is your level of exposure and how quickly you detect it. Strong credentials, two-factor authentication, and regular account monitoring form the foundation. Dark web surveillance closes the gap between what your bank tells you and what is actually circulating in criminal markets.
If you have not yet checked whether your financial data has already been exposed, start there. DeXpose’s free dark web report gives you immediate visibility, because the best time to find out your data is compromised is before the fraud begins.
Frequently Asked Questions (FAQ’s)
Did Bank of America Have a Data Breach?
Yes. Bank of America confirmed a data breach in early 2024 stemming from an attack on third-party vendor Infosys McCamish Systems, exposing the personal information of approximately 57,000 customers, including names, Social Security numbers, and account details.
Did Chase Bank Have a Data Breach?
Yes. Chase Bank has experienced multiple data security incidents, including its major 2014 breach affecting 76 million households. More recent incidents have involved third-party vendor compromises and unauthorized access to customer account information, with affected customers notified directly.
What Happened With the Evolve Bank and Trust Data Breach?
In mid-2024, the LockBit ransomware group attacked Evolve Bank & Trust, stealing and publishing customer data after Evolve refused to pay the ransom. The breach exposed Social Security numbers, account details, and personal information for customers of Evolve and multiple connected fintech partners, including Affirm.
How Many US Banks Have Been Breached?
Hundreds of US banks have experienced data breaches over the past five years, either through direct attacks or third-party vendor compromises. Major institutions, including Bank of America, Chase, TD Bank, Flagstar, US Bank, Truist, and Evolve Bank & Trust, have all confirmed significant incidents since 2020.
Is My Money Safe After a Bank Data Breach?
In most cases, your deposited funds are protected. US banks are FDIC-insured, and federal law limits your liability for unauthorized transactions if reported promptly. However, a breach can still enable fraud and identity theft, which can require time and effort to resolve, so monitoring your accounts immediately is essential.
How Long Does a Bank Have to Notify You of a Data Breach?
Under federal banking regulations, banks are generally required to notify affected customers within 30 to 60 days of confirming a breach. State laws in California, New York, and other states impose stricter timelines. In practice, notification often comes months after the actual breach occurred due to ongoing investigations.
What Is the Most Common Type of Bank Data Breach?
Third-party vendor compromises are currently the most common cause of bank data breaches. Rather than attacking a bank’s core systems directly, threat actors exploit vulnerabilities in the software providers, file transfer tools, and data processors that banks rely on, as seen in the MOVEit and SitusAMC breaches that affected dozens of institutions simultaneously.
Can a Bank Breach Affect My Credit Score?
A bank breach does not directly lower your credit score, but the identity theft it enables can. If stolen data is used to open fraudulent accounts, miss payments, or max out credit lines in your name, those activities will damage your credit. Placing a credit freeze immediately after a breach is the most effective way to prevent this.
