California Credit Union Settles Class Action Data Breach Lawsuit for $725,000

A Southern California credit union that experienced a cyberattack in mid-2024 has agreed to pay $725,000 to resolve a class action lawsuit alleging inadequate cybersecurity safeguards. The settlement covers nearly 35,000 current and former members whose sensitive personal and financial data was exposed when an unauthorized third party accessed a single employee email account.

Breach Background

LA Financial Federal Credit Union, formerly headquartered in Arcadia, California, with approximately $556 million in assets, disclosed that the breach occurred on or about June 10, 2024. The compromised data included names, dates of birth, Social Security numbers, and financial account information belonging to 34,866 current and former members.

What drew particular scrutiny was the timeline of notification. LA Financial did not begin sending breach notices to the California Attorney General and affected individuals until November 27, 2024 — roughly five and a half months after the incident was discovered. An additional round of notifications followed on March 24, 2025, for individuals identified later in the review process. California law generally requires notification to affected residents in the most expedient time possible, and the extended delay became a focal point of the litigation.

The lawsuit alleged that LA Financial failed to implement adequate cybersecurity safeguards to protect member data. The credit union denies all wrongdoing but agreed to settle in order to avoid the cost and uncertainty of continued litigation.

Settlement Terms

The $725,000 settlement fund is allocated as follows:

• Up to $85,000 for settlement administration costs

• Up to $241,666.66 in attorneys’ fees (approximately one-third of the total fund)

• Up to $5,000 each in service awards for class representatives

• The remainder distributed to eligible class members

What Affected Members Can Claim

Class members have three avenues for compensation:

1. Documented out-of-pocket losses — Members who can provide supporting documentation for expenses tied to the breach may claim up to $5,000 in reimbursement.

2. Pro rata cash payment — Those without documented losses are eligible for an estimated cash payment of $50 or more, distributed on a pro rata basis from the remaining fund.

3. California statutory payment — California residents receive an additional $100 statutory payment on top of any other benefit claimed.

All class members, regardless of which cash option they select, are entitled to two years of free credit monitoring.

Claims should be submitted to the settlement administrator at: LA Financial Data Security Incident Settlement Administrator, P.O. Box 6425, Portland, OR 97228-6425.

Key Deadlines

• Opt-out deadline: July 6, 2026

• Final approval hearing: July 20, 2026

• Claim filing deadline: August 5, 2026

Merger Context

The settlement comes as LA Financial no longer exists as a standalone institution. The credit union completed a merger into Credit Union of Southern California (CU SoCal) on June 4, 2025. CU SoCal is now a $3.3 billion institution with more than 180,000 members across 25 branches. The financial strain preceding the merger was evident: LA Financial’s income dropped 54% year-over-year through the third quarter of 2024, a period that overlapped directly with the breach incident and the early stages of litigation.

Industry Implications

The LA Financial settlement is one data point in a broader pattern that compliance officers and credit union executives cannot afford to ignore. Data breach class actions against financial institutions have proliferated as plaintiffs’ firms have sharpened their litigation strategies and courts have become more receptive to claims centered on negligent data security practices.

The notification timeline here — five and a half months between discovery and consumer notice — highlights a persistent compliance gap. Federal regulators, including the National Credit Union Administration, have moved toward stricter incident reporting timelines, and state laws such as California’s data breach statute apply considerable pressure on institutions to act quickly. A delay of this length invites both regulatory scrutiny and litigation exposure.

For credit unions in particular, the risk calculus is acute. These institutions often carry significant volumes of sensitive member data — Social Security numbers, financial account details, and more — while operating with smaller IT and security budgets than their bank counterparts. A single compromised employee email account, as demonstrated here, can expose tens of thousands of members and ultimately cost an institution hundreds of thousands of dollars in settlement funds, legal fees, and reputational damage. Robust email security controls, prompt incident response protocols, and well-documented notification procedures are no longer optional elements of a credit union’s compliance program — they are baseline expectations from regulators, litigants, and members alike.