Key keywords: Chime class action lawsuit, April 2026 Chime data breach, Chime consumer data protection failure, fintech data breach litigation, Chime user personal information exposure, Chime cybersecurity negligence, financial app data security compliance A proposed class action lawsuit filed against neobank Chime in the U.S. District Court for the Northern District of California last week alleges the company repeatedly failed to address known cybersecurity vulnerabilities, leading to a massive April 2026 data breach that exposed the personal and financial information of more than 570,000 U.S. users. The lead plaintiff, a Texas-based Chime customer who has used the platform for 6 years, filed the suit on behalf of all U.S. residents whose data was compromised in the incident, claiming Chime violated both federal Gramm-Leach-Bliley Act requirements and state-level consumer protection statutes across 32 states. According to court filings, the April 2026 breach was first detected by independent cybersecurity researchers on April 12, 2026, when an unencrypted database containing Chime user records was found accessible on the public internet for at least 19 days. Exposed data points include full legal names, Social Security numbers, linked bank account routing and account numbers, complete transaction histories dating back to 2018, home addresses, phone numbers, and email addresses. As of press time, more than 2,100 affected users have reported instances of unauthorized account access, identity theft, or fraudulent charges linked to the breach. The lawsuit further alleges that Chime was explicitly notified of critical gaps in its data storage infrastructure in both 2024 and early 2026 by internal security teams and third-party auditors, but delayed planned security upgrades to allocate budget to user acquisition and marketing campaigns. Chime also continued to run public advertisements claiming it offered “industry-leading bank-level security” for user data in the months leading up to the breach, which the suit argues constitutes intentional deceptive marketing. Chime waited 14 days after confirming the breach to notify affected users, a delay that plaintiffs say allowed bad actors to exploit exposed data before users could take steps to freeze their credit or secure their accounts. Plaintiffs are seeking compensatory damages for out-of-pocket losses related to identity theft, free 10 years of credit monitoring and identity theft protection services for all affected users, punitive damages for Chime’s alleged negligence, and a court order requiring Chime to implement mandatory third-party security audits every 6 months for the next 10 years. Chime has not yet issued an official response to the lawsuit, but a company spokesperson said in a brief statement last week that it is “investigating the scope of the incident and taking steps to support affected customers.”