Chime Faces Lawsuits Alleging Iran-Linked Hack Despite Earlier Security Assurance

Context On April 1, Chime’s mobile app and website went offline for several hours. The company’s status page told users that “the money in your account and your personal information are secure.” Team 313, which describes itself as “The Islamic Cyber Resistance in Iraq,” posted on its leak site that it had launched a massive cyberattack that crashed Chime’s internal servers and disabled the application. The group’s primary tactic is distributed denial‑of‑service (DDoS) traffic flooding, a technique cataloged as MITRE ATT&CK T1498. Security researchers track the same actor under multiple names: Void Manticore (Check Point), Storm‑0842 (Microsoft), and BANISHED KITTEN (CrowdStrike). Hawkeye threat intelligence notes the group often exaggerates or fabricates breach claims.

Key Facts - The outage began shortly before 1 p.m. Eastern time and generated over 6,600 user reports on DownDetector, far above the baseline of four. - Lawsuits filed in the U.S. District Court for the Northern District of California allege that Team 313 stole Social Security numbers, dates of birth, government‑issued IDs and other personal data. - Chime has not filed a Form 8‑K disclosure with the SEC regarding a potential cybersecurity incident as of May 4, a requirement under the agency’s 2023 cybersecurity‑disclosure rule. - No plaintiff has presented independent forensic evidence of a breach beyond the public statements and the group’s own leak‑site post.

What It Means If a court determines that Chime suffered a data breach, the company could trigger state breach‑notification laws, including California’s requirement to inform affected individuals when unencrypted personal information is accessed without authorization. The missing SEC filing also raises the possibility of enforcement action under the new cybersecurity‑disclosure regime. For security teams, the case highlights the need to verify public statements with internal logs and to prepare timely regulatory filings when an incident may be material.

Mitigations / What Defenders Should Do - Review DDoS mitigation controls: ensure upstream scrubbing services are configured to absorb volumetric attacks (MITRE ATT&CK T1498). - Enable and test logging for authentication and access‑control systems to detect unauthorized data exfiltration attempts. - Conduct a materiality assessment promptly after any suspected incident and file SEC Form 8‑K within four business days if thresholds are met. - Update incident‑response playbooks to include templates for customer notifications that align with state breach‑notification statutes.

Watch for the court’s rulings on the class‑action complaints and any subsequent SEC enforcement guidance regarding Chime’s disclosure timing.