A gavel designed out of binary code

Five former members of the $544 million Neighbors Credit Union in St. Louis filed separate proposed class action lawsuits over a September 2024 data breach that allegedly exposed members’ personal information to a cybercriminal group known as Black Suit.

Former Neighbors member Richard Wilbur said he received a May 7 letter from the credit union that it recently detected suspicious activity within its computer network. Wilbur is one of five former members who filed a civil lawsuit against the credit union in Missouri federal court earlier this month.

Recommended For You

The credit union said it launched an internal investigation, notified law enforcement and worked to secure the computer network. Neighbors also hired a forensic security firm. The investigation determined an unknown and unauthorized third party accessed the credit union’s computer system between Sept. 20 and Sept. 21, 2024, and acquired certain files. However, it was not until Jan. 14 when the credit union said it determined the identified files contained personal information that included Wilbur’s name and his Social Security number.

The credit union, which currently serves 47,326 members, has not disclosed the number of former and current members affected by the breach.

Wilbur’s lawsuit cited a notice from the Texas Attorney General’s office indicating that 2,406 members residing in the Lone Star State were impacted by the breach.

He alleged that the credit union delayed notifying members for 229 days after the breach began, which prevented members from making timely mitigation efforts.

“As details of the unauthorized access experienced are outlined in the notification letters sent to members, we currently do not have any additional information to share and cannot comment on pending litigation,” Neighbors SVP of Marketing Paula F. Anderson said in a prepared statement.

Because of the ongoing litigation, the credit union declined to specify how many members were affected.

Neighbors said it has taken steps to reduce the risks of future incidents, including enhancing technical security measures.

Although the credit union stated it is not aware of any fraud or identify theft that involved members’ information, it is offering members a complimentary one-year membership to an identity protection service.

Nonetheless, Wilbur’s lawsuit showed evidence that cybercriminal group Black Suit already leaked members’ personal information on the dark web and had published a “link” on Oct. 18, 2024, less than a month after the breach occurred. When cybercriminals post a “link,” it typically means they are sharing access to stolen data.

Black Suit has been connected with several major cyberattacks. Last June, for example, the cybercriminal organization disrupted operations at numerous U.S. car dealerships by attacking software provider, CDK Global, according to a national media report. Black Suit also published sensitive police files after the Kansas City Police Department refused to pay a ransom, technology news outlet StateScoop reported.

Although Neighbors' data breach letter to members stated it was not aware of any fraud or identity theft involving members’ personal information, Wilbur’s lawsuit claimed that assertion was misleading.

He cited the credit union’s website post that warned of fraudsters who spoofed Neighbors' phone number and impersonated employees via calls and text messages.

“On information and belief, these fraudsters ... impersonating employees are part of Black Suit,” Wilbur’s lawsuit alleged.

Peter Strozniak can be reached at [email protected].

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Peter Strozniak

Credit Union Times reporter covering credit union operations, fraud, M&As, leagues, business continuity, and breaking news.