Credit: phonlamaiphoto/Adobe Stock
An amended complaint alleged that the $1.9 billion SRP Federal Credit Union failed to maintain reasonable security safeguards, leading to a 2024 ransomware data breach that affected more than 240,000 current and former members of the North Augusta, S.C.-based financial cooperative.
Seven SRP members filed the amended complaint in U.S. District Court in Aiken, S.C., last week. The credit union currently serves nearly 200,000 members.
U.S. District Court Judge Cameron McGowan Currie dismissed the members’ original complaint filed in December 2024. Although some of the members claimed they suffered fraudulent charges, their claims were not fairly traceable to SRP’s data breach, the judge ruled. In SRP’s successful motion to dismiss case, the credit union argued the plaintiffs have pleaded no plausible factual basis for any actual misuse of their data because of the data incident.
The proposed class action lawsuit was dismissed on Oct. 9, but members were allowed to file an amended complaint in 30 days. That filing occurred on Nov. 7.
About a week before the SRP reported a data breach to state authorities, a ransomware gang took credit for the cyber attack, claiming to have stolen 650GB of sensitive member data including names, Social Security numbers, dates of births, addresses, account numbers and credit ratings.
On Dec. 5, 2024, the cybersecurity management firm Hackmanac reported on the social media platform X that the Ransomware Nitrogen Group claimed credit for the SRP attack. A post on X included images purportedly showing leaked data from the credit union, serving as proof of the data breach. Hackmanac is based in Dubai, United Arab Emirates and specializes in monitoring and analyzing global cyber threats.
On Dec. 12, SRP reported to its members and state authorities what the credit union described as an “external system breach (hacking).”
The data breach was discovered on Nov. 22, according to the Data Breach Notification document filed with Maine’s Attorney General Office.
“The forensic investigation determined that an unknown, unauthorized third party accessed our computer systems at times from September 5, 2024, and November 4, 2024, and potentially acquired certain files from our network during that time,” the credit union stated. “The incident did not impact our online banking system or core processing system.”
The notification letter did not mention ransomware as the cause for the breach.
The amended complaint provided details about how each of the seven members were allegedly victimized after the data breach occurred and their personally identifiable information was exposed on the dark web frequented by cybercriminals.
SRP member Shannon Dunn, for example, alleged she learned in February 2025 that she became a victim of ID theft when someone submitted an IRS W-2 form using her name and Social Security number. SRP member Theresa McGrier claimed there were a number of fraudulent charges on her account, forcing her to cancel her debit card, and SRP member Ricky Chase flagged multiple unauthorized charges on his SRP accounts.
Other members reported receiving notifications of login attempts to their SRP accounts and credit cards, fraudulent purchases, increased spam calls, text messages and emails about fake unpaid fees and debts, and phishing email attempts. All members said they spent considerable time and money mitigating these issues.
SRP and their attorneys did not respond to CU Times’ requests for comments. The credit union has not yet answered the amended lawsuit.
Contact Peter Strozniak at peter.strozniak@arc-network.com.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.