NORTH AUGUSTA, S.C. — SRP Federal Credit Union faces a consolidated federal class-action lawsuit that has been amended to allege it failed to protect the personal and financial data of more than 240,000 current and former members during a two-month cyberattack, then waited months to notify victims, according to an amended complaint filed in U.S. District Court for the District of South Carolina.
The lawsuit, brought by seven named plaintiffs from South Carolina and Georgia, claims SRP lost control of its network between Sept. 5 and Nov. 4, 2024, allowing the “Nitrogen” ransomware group to steal and later publish highly sensitive consumer information — including full credit reports, Social Security numbers, dates of birth, account numbers and other financial data.
‘Obfuscated’ What Happened
At least 471 MB of member data has already been posted on the dark web, the complaint alleges.
SRP began notifying victims around Dec. 12, 2024, nearly three months after the intrusion began. Plaintiffs argue the credit union’s breach notice “obfuscated” what happened and failed to explain the delay in alerting affected members.
The complaint alleges SRP did not use basic cybersecurity safeguards, did not encrypt Social Security numbers or other sensitive information, and did not adequately train employees or monitor systems.
It further alleges the credit union violated the Federal Trade Commission Act, state data-breach laws, and industry standards, including the NIST Cybersecurity Framework.
What Victims are Allegedly Reporting
Victims cited in the filing describe unauthorized credit-card charges, fraudulent tax filings, attempts to access their financial accounts and a surge in spam calls, phishing messages and dark-web alerts. Several plaintiffs say their information has already been used for identity theft, forcing them to spend hours dealing with banks, the IRS and credit bureaus. Some purchased credit-monitoring services or canceled and replaced financial accounts.
The suit seeks damages, restitution, injunctive relief and long-term identity-theft protection for all victims. It claims the exposure of members’ data is permanent, describing the published information as “a bell that cannot be unrung.”
SRP, which serves roughly 195,000 members and holds more than $1.8 billion in assets, has said it is enhancing technical security measures, according to the breach notice cited in the complaint.
No trial date has been set.
