Ellafi credit union sued over data breach, class action sought

Ellafi Federal Credit Union has been sued in federal court over its October 2025 cyberattack, with at least one member seeking to represent a nationwide class and several law firms now investigating or pursuing class action claims tied to the breach.

What happened in the breach?

• Ellafi Federal Credit Union in Middletown, Connecticut experienced a network disruption linked to a cyber incident around 14 October 2025.

• The Akira ransomware group has been identified as the threat actor and claims to have stolen about 17 GB of data from Ellafi’s systems.

• By late November 2025 Ellafi determined that files containing personal data had been accessed or acquired without authorization.

• Starting 23 December 2025, Ellafi began notifying approximately 17,600–17,627 affected individuals and state attorneys general about the breach.

What data was exposed?

• The compromised information includes at least names combined with Social Security numbers and credit and/or debit card numbers.

• Some reports also note exposure of broader internal records such as W‑9 forms, HR and accounting documents, contracts and other confidential files.​

Lawsuit and class action status

• A Connecticut member, identified in reports as Joseph Fraulino, has filed a lawsuit in U.S. federal court alleging negligence and breach of implied contract over Ellafi’s failure to use reasonable security and to provide prompt notice.​

• The complaint seeks class‑action certification, monetary damages estimated at more than 5 million dollars for affected members, and lifetime identity‑theft monitoring services.​

• As of 23 January 2026, Ellafi had not yet filed a formal response in court but has publicly stated it disputes the allegations and intends to defend itself.​

• Separate coverage notes that Ellafi has been hit with at least a second proposed class action over the same October data breach, indicating multiple overlapping class cases are now pending or proposed.​

Law firms investigating or pursuing claims

• Several plaintiffs’ firms (including Strauss Borrelli, Cole & Van Note, Lynch Carpenter, Migliaccio & Rathod, Levi & Korsinsky and others) are publicly soliciting Ellafi victims for potential data‑breach class claims.

What Ellafi is offering affected members

• Ellafi is offering complimentary identity‑protection services (credit monitoring, dark‑web monitoring, identity‑fraud loss reimbursement, and recovery services), typically for 12–24 months depending on the notice, with at least a 1 million dollar identity‑fraud loss reimbursement policy.

• Members have been told they have until about 23 March 2026 to enroll in some of these services.​

Practical steps if you’re affected

• Enroll in the free credit/ID monitoring offered in the notification letter before the stated deadline.

• Place a fraud alert or credit freeze with major credit bureaus, and monitor bank and card statements for unusual activity.

• Keep copies of any notice letters and suspicious transactions in case you decide to participate in a lawsuit or need to document losses later.

If you received a breach notice from Ellafi, you are a potential class member in these proposed actions, and you can choose to contact one of the firms above or wait to see how the court handles class certification.