SRP Federal CU Moves to Pause Members' Cyberattack Case

“Allowing court proceedings to continue during arbitration would waste both the Court’s and parties’ resources and diminish the effectiveness and efficiency that arbitration was meant to achieve,” SRP stated in its answer to the members’ amended complaint.

The credit union’s members filed their original complaint as a proposed class action lawsuit in December 2024, which was dismissed by U.S. District Court Judge Cameron McGowan Currie in October 2025. Although some of the members suffered fraudulent charges, their claims were not fairly traceable to SRP’s data breach, the judge ruled.

“In short, without allegations specifying when the charges were made and linking the information misused to the information disclosed in the breach, the court cannot say “it is both plausible and likely that [the] breach of [SRP’s systems] resulted in the fraudulent use of the Plaintiff’s personal information,” Judge Currie wrote. She did not address SRP’s arbitration argument.

Nevertheless, the members were allowed to file an amended complaint, which they did on Nov. 7.

The amended complaint appeared to provide details that describe about how each of the seven members were victimized after the data breach occurred and how their personally identifiable information was exposed on the dark web, which is frequented and presumably used by cybercriminals.

In its answer to the amended complaint, SRP argued the alleged fraudulent charges the members claim were made to their accounts do not satisfy the legal “injury in fact requirement” because members did not suffer monetary losses. The credit union also argued that the alleged fraudulent charges claimed by the members are not traceable to the SRP data incident.

Before SRP reported the data breach to state authorities, a ransomware gang took credit for the cyber-attack, claiming to have stolen 650GB of sensitive member data including names, Social Security numbers, dates of births, addresses, account numbers and credit ratings.

On Dec. 5, 2024, the cybersecurity management firm Hackmanac reported on social media that the Ransomware Nitrogen Group claimed credit for the SRP attack. A post on X included images purportedly showing leaked data from the credit union, serving as proof of the data breach. Hackmanac is based in Dubai, United Arab Emirates and specializes in monitoring and analyzing global cyber threats.

On Dec. 12, SRP reported to its members and state authorities what the credit union described as an “external system breach (hacking)” that initially affected 240,742 individuals.

The data breach was discovered on Nov. 22, according to the Data Breach Notification document filed with Maine’s Attorney General Office.
On Feb. 23, 2025, SRP filed a second notification with Maine’s AG, updating the affected count to 260,950 individuals.

“The forensic investigation determined that an unknown, unauthorized third party accessed our computer systems at times from September 5, 2024, and November 4, 2024, and potentially acquired certain files from our network during that time,” the credit union stated. “The incident did not impact our online banking system or core processing system.”

The notification letters did not mention ransomware was the alleged cause of the breach.

Read More: SRP Federal Credit Union Motion to Compel Arbitration or Dismiss.

Peter Strozniak can be reached at peter.strozniak@arc-network.com