Doxim Settles $5.5M Data Breach Affecting 1.1M Individuals
Doxim settles a $5.5 million lawsuit over a 2023 data breach affecting 1.1 million individuals.
Why it matters: Legal and compliance teams must reassess risks tied to third-party data handlers after Doxim's breach exposed sensitive client information. This case highlights vulnerabilities vendors pose to client data security.
- $5.5 million proposed settlement filed May 5, 2026, in In re Doxim, Inc. Data Security Incident Litigation.
- Over 1,100,911 individuals affected by unauthorized access to names, addresses, account numbers, and Social Security numbers.
- Suspicious activity detected December 30, 2023, in Doxim’s credit union services network segment.
- Doxim began notifying affected individuals around May 31, 2024.
On May 5, 2026, a $5.5 million proposed class action settlement was filed in the ongoing litigation In re Doxim, Inc. Data Security Incident Litigation, resolving claims arising from a data breach detected on December 30, 2023. This breach occurred within Doxim’s network segment used to support credit union services.
Unauthorized actors accessed sensitive files containing personal information, including names, mailing addresses, account numbers, and Social Security numbers. Approximately 1,100,911 individuals were identified as affected based on Doxim’s records.
Notification to the impacted individuals began around May 31, 2024, more than five months after the suspicious activity was detected. The delayed notice underscores the complexity of breach response in third-party vendor settings.
Industry experts note that "The case illustrates how a vendor incident can become a customer-data incident," emphasizing the cascading risks posed when service providers managing sensitive data suffer compromises.
The settlement highlights the critical need for legal, compliance, and security teams at client organizations to carefully vet and monitor third-party vendors handling sensitive data, incorporating rigorous risk management practices to mitigate exposure.
By the numbers:
- $5.5 million — proposed settlement amount
- 1,100,911 — individuals affected by the breach
- December 30, 2023 — breach detected date