- Key insight: Washington's Data Breach Disclosure Law sets a 30-day ceiling on notification, measured from discovery; Columbia's delay was nearly four times that.
- What's at stake: The class action accuses Columbia Bank of negligence, invasion of privacy and violations of two Washington consumer-protection statutes.
- Supporting data: Plaintiff Kristi Meyers reports $700 in fraudulent Apple and Walmart gift-card purchases on her Columbia Bank debit card, plus a charge at a Springfield, Oregon, gas pump.
Overview bullets generated by AI with editorial review.
For the second time in three years, Columbia Bank is telling customers that hackers took their personal data. This time, the bank caught the attacker still inside its systems, then it waited 119 days to tell those customers.
The intrusion ran from early October to late December, according to
A total of 7,067 individuals were affected, according to the
Columbia Bank discovered the intrusion on Dec. 19 and cut the attacker off three days later, on Dec. 22, according to the notice letter.
Columbia Bank is the Oregon-chartered, FDIC-insured subsidiary of Columbia Banking System, Inc., a Washington corporation headquartered in Tacoma that trades as COLB on the Nasdaq. The bank has roughly $66 billion in assets and operates more than 350 branches across eight western states, according to its
An Oregon resident named Kristi Meyers
Meyers' complaint says the 119-day notification delay broke
Columbia Banking System filed no Form 8-K with the Securities and Exchange Commission, or SEC, about the breach, according to the company's
The SEC requires public companies to disclose material cybersecurity incidents within four business days of determining the incident is material to investors, under
The materiality determination is the company's to make. Columbia Banking System decided this breach was not material to investors.
Umpqua Bank, whose parent merged with Columbia Banking System in 2023 to form today's Columbia Bank, was one of hundreds of institutions caught up in the global
Meyers' lawsuit is the second data-breach class action filed against the bank or its predecessor in three years. Her lead counsel, M. Anderson Berry of Seattle's Emery Reddy, PC, was local counsel on the 2023 case too.
A Columbia Bank spokesperson did not immediately respond to a request for comment.
The intrusion: 81 days in, an unnamed forensic firm out
Columbia's notice letter to affected customers says little about how the attacker got in. The bank refers only to "certain Columbia Bank applications."
That could mean customer-facing online banking, employee software, a treasury-management portal, a loan-origination platform or back-office infrastructure. The bank has not said which.
Meyers' complaint goes a step further, alleging Columbia Bank stored the affected information "unencrypted, in an Internet-accessible environment" and that "unauthorized actors used an extraction tool to retrieve" it.
The notice letter says that Columbia Bank "engaged a forensic security firm" and "notified law enforcement," but the bank has not named either.
The letter is explicit on one point: "This notification was not delayed by law enforcement." The four-month gap between detection and customer notice did not come from an investigative hold.
Caught in the act, then four months of silence
The bank's notice letter does not give a discovery date. The Dec. 19 date appears instead in a data-breach reporting portal run by the Oregon Department of Justice. (The entry misspells the bank's name as "Colombia Bank.")
The notice letter does pin down the breach window, which ran from Oct. 2 to Dec. 22.
Columbia Bank "completed our review" of the affected data on March 6, 2026, according to the notice letter. The review took 77 days, working out which individuals were exposed and what data each had lost.
The bank then took another 42 days before mailing notices, beginning April 17.
Industry standards give institutions roughly 60 to 120 days to figure out which customers a complex intrusion affected. Columbia Bank's 77-day review fell within that window.
Six weeks then passed between the review's completion and the mailing of notices.
Washington's Data Breach Disclosure Law sets a 30-day ceiling on notification, measured from discovery. Most state breach laws use similar "expedient" and "reasonable" standards.
Meyers' complaint accuses Columbia Bank of breaking Washington's statute; the 119-day delay is nearly four times the 30-day ceiling.
Columbia Bank itself did not publicize the breach. As of this week, neither the
Fraudulent charges
In the wake of the Columbia Bank data breach, someone used Meyers' Columbia Bank debit card to buy roughly $700 of Apple and Walmart gift cards, according to her complaint.
The same card ran up another fraudulent charge at a gas pump in Springfield, Oregon, a few exits up Interstate 5 from her home in Elmira, Oregon.
Her complaint also says "evidence" suggests someone using a Linux computer in Springfield may be hacking her account.
Meyers has reported the fraud to local police, the FBI and the Federal Trade Commission. She has closed her Columbia Bank account and opened one at a different bank.
