Member Files Data Breach Lawsuit Against Credit Union & Vendor

A North Carolina man has filed a proposed class action data breach lawsuit against the $5.5 billion Truliant Federal Credit Union and its former vendor, Doxim Inc., which allegedly affected more than 48,000 members.

In February 2024, cybercriminals accessed Doxim’s computer network and obtained the personally identifiable information of Truliant members. The Winston Salem-based credit union serves nearly 340,000 members.

Truliant member Kevin Payne of Forsyth County filed the proposed class action lawsuit in U.S. District Court in Winston Salem on June 13, claiming he was forced to spend time and money to mitigate the effects of the data breach.

Doxim Inc. of Ontario, Canada was a third-party print and digital documents and statement provider for Truliant. Before the credit union ended its contract with Doxim because of production issues, the vendor collected and maintained Truliant members’ information for its print and digital document and statement services.

According to a May 14 notice letter from Truliant to its members, Doxim notified the credit union of a cybersecurity attack that occurred on April 22, which resulted in unauthorized access to some of the vendor’s data files, including Truliant files from 2012, according to the lawsuit.

These compromised files contained a combination of some of all of the following categories of information for each affected member including members’ names, account numbers and Social Security numbers. Although not disclosed in Doxim’s notice letter, the addresses and dates of birth of members might have been impacted as well, the lawsuit claimed.

In a prepared statement, Truliant said it is not at liberty to comment on pending litigation and will respond to the lawsuit through the appropriate legal channels.

“We can share that Truliant remains focused on working with our members who may have been affected by this third-party cybersecurity attack, and we have notified the potentially impacted members of steps they can take to safeguard their credit and identity at no cost,” Truliant said. “To this point, we remain unaware of any evidence that any member’s data has been published or misused. We also continue to work with leading cybersecurity experts to review our processes and procedures as we and countless other organizations combat these increasingly sophisticated cybercriminals. Our highest priority is our members’ privacy and security, and we continue to encourage any member with questions about this to call our Truliant Incident Help Line at 1-855-816-1923.”

The lawsuit noted that Truliant offered free Equifax Credit Watch services for 12 months, which required activation by the member victims of the data breach.

However, the lawsuit claimed that Truliant and Doxim have not disclosed crucial information such as the duration of the data breach, the identity of the hacking group responsible for the data breach, how the cybercriminals were able to exploit the vulnerabilities in Doxim’s IT security systems, the methodologies and full results of any investigation conducted by the vendor and credit union, and what steps have been taken by both organizations to safeguard its systems other than destroying the compromised files.

READ MORE: Payne v. Truliant Federal Credit Union and Doxim Inc.