Skip to main content

Pathward Data Breach Investigation

Written by The Lyon Firm on . Posted in Data Breach.

Pathward, formerly known as MetaBank, has announced an IT/hacking incident in which almost 800,000 individuals may have been impacted. The company suffered a third-party breach via the huge MOVEit Transfer hack.

If you have received notice from Pathward or Emerald that your personal information was compromised in the MOVEit attack, contact our legal team to discuss how to protect yourself moving forward. You may be eligible to file a class action data breach claim and hold the responsible parties accountable for negligent IT security.

What Happened?

Pathward discovered in July 2023 that Fidelity National Information Services, Inc., a vendor used by the H&R Block Emerald Card, experienced a data breach related to its use of the MOVEit software.

Emerald Card explained that the incident resulted in an unauthorized party accessing names, addresses, Social Security numbers, dates of birth, driver’s license numbers, email addresses, phone numbers, and credit card information.

Emerald Card, alongside Pathward, began sending out data breach notification letters to  793,626 individuals whose information was affected by the recent data security incident.

Based on available information, it does not appear the IT systems belonging to H&R Block, Emerald Card, or Pathward were affected, as the compromised data was all located on Fidelity’s MOVEit server.

Pathward, N.A. is a finance company located in Souix Falls, South Dakota. The company operates in several industries, including traditional retail banking, electronic payments, insurance premium financing, and tax-related financial solutions.

What Pathward & Emerald Card Data Was Leaked?

According to data submitted to Maine‘s Attorney General, 793,626 individuals were impacted by the breach. Over 62 million people have been exposed due to the MOVEit transfer attack.

Pathward‘s letter to affected individuals explains the following: “On or about July 12th, 2023, we became aware that an unauthorized third party had acquired certain files transferred through the MOVEit Transfer tool, and on July 25th, 2023, the service provider provided its forensic data report.”

Exposed Social Security numbers and financial data may present various fraud and identity theft risks to affected individuals. A card number and expiration date, along with personal details, could allow some savvy cybercriminals to engage in financial fraud. Even seemingly small bits of personal data can be collated to have a big impact on victims.

Understanding the MOVEit File Transfer Attack

In late May 2023, the Russia-linked Cl0p ransomware group exploited a zero-day bug in MOVEit Transfer software, allowing them to access and download data from hundreds of organizations. The fallout has been devastating as hundreds of companies and millions of individuals race to patch their security to limit the damage. An investigation into the incident is ongoing and dozens of lawsuits have been filed relating to IT security negligence and data privacy violations.

The Lyon Firm is currently involved in several data theft cases linked to the MOVEit hack, and represents plaintiffs nationwide in a wide range of data privacy litigation. If you or a loved one has been a target in any data breach event, contact our lawyers to investigate your case. We have the experience and resources to find you rightful compensation. Free consultations and free case reviews.