- Key insight: Chime told customers during the April 1 outage that their money and personal information were secure — directly contradicting the breach allegations now in court.
- What's at stake: If a court finds the company suffered a breach, Chime could face exposure under state breach-notification laws and the SEC's 2023 cybersecurity-disclosure rule.
- Supporting data: Multiple cybersecurity firms track Team 313 under different names — Void Manticore at Check Point, Storm-0842 at Microsoft, BANISHED KITTEN at CrowdStrike.
Overview bullets generated by AI with editorial review.
On April 1, when Chime Financial's mobile app went down for hours, the company told customers on its status page that "the money in your account and your personal information are secure."
Three proposed class actions filed in the following month say otherwise.
The lawsuits, all in the U.S. District Court for the Northern District of California, allege that pro-Iranian hacker group Team 313 breached Chime's systems on April 1 and stole Social Security numbers, dates of birth, government-issued IDs and other personal information from customers.
Chime said on its website during the incident that the threat actor did not steal any data.
Law firm Strauss Borrelli filed the first complaint two days after the outage. Two more firms followed within two weeks.
None of the three has produced evidence of a breach beyond what is already public knowledge. Chime's public statements indicate that Team 313 did not steal any customer data, but all three allege that there was a data compromise.
All three suits target the alleged breach. The complaints describe the outage as a consequence of it.
Two Chime customers, Cindy Castaneda and Lauren Goodloe, filed their lawsuit together. The two said they couldn't see their account balances during the outage, and Goodloe said she worried about a late rent payment.
Another customer suing Chime, Michael Walsh, said he received a bank alert about an attempted unauthorized credit card charge and a notice that his information had appeared on the dark web.
The fourth customer, Melissa Porter, described no specific injury beyond fear, anxiety and the time she spent monitoring her accounts.
Each complaint draws on the same public information: reporting from
Chime has not filed a notice of a material cybersecurity incident with the SEC, as of May 4. Under a
The fact that Chime has not filed a disclosure means either it has not determined whether the incident was material or it's decided it was not.
State breach-notification laws, including in California, require companies to notify affected individuals after they have reason to believe someone has taken unencrypted personal information without authorization. The
Inside the April 1 outage
The outage began shortly before 1 p.m. Eastern time on April 1. The DownDetector page tracking Chime user reports spiked to 6,647 problem reports against a baseline of four, according to a screenshot reproduced in the
Team 313, which calls itself "The Islamic Cyber Resistance in Iraq," posted on its leak site that it "launched a massive cyberattack targeting the servers of Chime," crashing internal servers and disabling the application and website. The post said the attack lasted an hour.
On its status page during the outage, Chime told customers that their account funds and personal information were secure, according to one of the complaints.
The Hawkeye threat advisory that the lawsuits cite describes Team 313 as a pro-Palestinian hacktivist group that multiple cybersecurity firms have linked to Iran's Ministry of Intelligence and Security.
Hawkeye published the advisory before the April 1 outage. The advisory does not mention Chime.
Multiple firms track the same group under different names. Check Point Research calls it Void Manticore. Microsoft tracks it as Storm-0842. CrowdStrike names it BANISHED KITTEN. IBM X-Force calls it the 313 Team Hacking Team.
Hawkeye describes the group's strategy as one built for influence operations rather than traditional cybercrime or espionage; Team 313 pairs technical disruption with timed public claims and amplification.
Its primary attack method is distributed denial-of-service, in which attackers flood a target with traffic to take it offline, not data theft.
The Hawkeye advisory that all three complaints cite says Team 313 is "known to exaggerate or fabricate breach claims."
