Data breaches cost individuals, corporations, healthcare providers, and governments billions of dollars each year, in lost money, identity theft losses, lost profits, and compensation for victims. Many data breaches prompt those affected to file lawsuits against the entity, alleging inadequate security and monitoring protocols.
If you are a victim of identity theft that happened because of a data breach at your bank, university, healthcare provider, or other entity you entrusted with your sensitive personal information, you may be eligible to initiate or join in a class action like those below. An experienced data breach lawyer can advise you of your legal options, including any compensation available.

New York University (NYU) data breach
New York University (NYU) experienced a major data breach in which the personal information of 3 million applicants was compromised. A hacker defaced the university’s homepage with charts displaying demographic data organized by race, as well as individual and aggregate ACT and SAT scores and GPAs of applicants.
The hacker, who used the handle @bestn-gy on X, accused NYU of employing race-based affirmative action practices in violation of the 2023 U.S. Supreme Court ruling that declared these practices unconstitutional. They stated the data displayed on the homepage was pulled from NYU’s internal data warehouse.
NYU’s IT team restored the website within hours and notified law enforcement. However, affected applicants and families initiated a class action lawsuit against NYU, citing negligent protection of sensitive applicant data.
SpyX Stalkerware data breach
The stalkerware app SpyX is marketed as a parental monitoring tool primarily used by Apple users. A massive data breach exposed the personal information of nearly 2 million users across SpyX and its related clone apps, including Msafely and SpyPhone. This breach involved highly sensitive data, including passwords stored in plain text, iCloud data, and email and IP addresses of users. Some victims suffered additional losses, including exposure of their personal photos and videos, and logs of their online activities.
This breach is especially alarming, as SpyX, while marketed as a parental control tool, is actually used quite often for covert surveillance, raising serious ethical concerns.
Cybersecurity researchers from TechCrunch and DDoSecrets discovered the breach while investigating the matter.
Victims are at heightened risk of identity theft and further invasions of privacy. There is no existing class action lawsuit, although victims certainly have solid grounds to file one.
Updates to the Cash App settlement
Users of Cash App, a popular global money transferring platform, were affected by two major data breaches. A $15 million class action settlement was approved in January 2024, giving eligible class participants up to $2,500 in reimbursement for documented losses, plus an additional $75 for time spent addressing the breach, such as freezing accounts or monitoring credit.
The initial breach occurred in April 2022, when a former employee of Cash App accessed sensitive data on over 8 million subscribers. A second data breach occurred in October 2023, involving negligent customer support and unauthorized transactions made on behalf of legitimate users.
Millions of users were represented in the class action lawsuit, which alleged that Cash App and its parent company, Block Inc., had engaged in negligent data protection and malfeasance. Payments are currently being sent out by either check or direct deposit and are expected to be completed by the end of 2025.
SogoTrade data breach
SogoTrade, Inc., an online brokerage, experienced a data breach between May 8 and May 22, 2024. The breach was discovered in March 2025 and publicly disclosed in May. A class action lawsuit has since been filed on behalf of affected customers
A significant amount of customer data was compromised in the breach, including full names, social security numbers, tax identification numbers, bank and other financial account numbers, and other sensitive information. SogoTrade is in the process of notifying affected individuals, and a class-action lawsuit against the brokerage is expected to be initiated soon.
PowerSchool data breach
In December 2024, educational technology provider PowerSchool suffered a massive data breach that exposed the personal information of 62.4 million students and 9.5 million educators.
A hacker held the data “hostage,” demanding millions in Bitcoin from schools across the U.S. and Canada. The compromised data included names, Social Security numbers, Individualized Education Plans (IEPs), and student medical records, making this one of the most serious breaches in the education sector to date.
Despite the company’s efforts to contain the breach, the hacker continued extortion attempts into 2025, directly emailing school districts with threats. In May 2025, a Massachusetts teen was identified as the perpetrator and pleaded guilty in federal court. PowerSchool later confirmed that it paid $2.85 million in ransom as part of its response to the attack.
Honorable mention: Update to the Capital One class action from 2019
In one of the largest financial institution data breaches in history, over 100 million customers in the U.S. and 6 million in Canada had their personal data exposed in a breach caused by the lax configuration of Capital One’s servers and firewalls. Full names, social security numbers, and bank account information. Payouts from the resulting $190 million class action settlement are expected to continue through the end of 2025.
What to do if you’ve been affected by a data breach
Data breaches are becoming more sophisticated and more costly for victims. If your information was exposed through a financial institution, school, app, or employer, you have legal rights worth protecting. In many cases, you may be eligible to join a class action lawsuit or file an individual compensation claim.
Have you suffered losses or been a victim of identity theft after a data breach? Please call Mason LLP today at (202) 429-2290 for a consultation.