Wescom Central Credit Union customers and former customers brought this class action after being notified that an unauthorized third party accessed an email security gateway product supplied by Barracuda Networks—an incident Wescom says it discovered around May 30, 2023 and later disclosed in notices sent around Oct. 20, 2023. Because financial institutions routinely exchange sensitive documents and identity data over email, a compromise of an “email secure gateway” can be especially serious: even if core banking systems aren’t breached, exposed inbox traffic can contain names, account-related information, and other identifiers that can fuel identity theft or fraud. About 32,964 people were reportedly affected, and the settlement offers up to $2,060 per claimant (up to $500 in ordinary out-of-pocket losses, up to $60 for time spent, and up to $1,500 for extraordinary losses) plus a year of three-bureau credit monitoring with $1 million in fraud protection. The lawsuit was filed because plaintiffs alleged Wescom and Barracuda failed to adequately protect private information and, as a result, exposed class members to financial harm and the burden of monitoring and remediation. While both companies deny wrongdoing, the settlement is significant in how it translates modern breach harms into concrete categories—documented expenses, paid time, and higher “extraordinary” losses—over a multi-year window, reflecting the reality that identity misuse may show up long after the initial intrusion. It also highlights the shared-risk nature of today’s cybersecurity: even when an organization uses a well-known security vendor, weaknesses or exploitation in that vendor’s product can become the organization’s customer-facing crisis, driving litigation pressure to compensate affected individuals and to demonstrate stronger vendor oversight going forward. More broadly, this case fits into a growing wave of data-breach class actions targeting both the breached organization and key third-party service providers, especially where email systems, managed security tools, or cloud platforms are involved. In the credit union and banking sector, regulators and industry standards increasingly expect formal vendor management and incident response readiness—through frameworks like the FTC Safeguards Rule for customer information programs and the NCUA/GLBA-style expectations for financial institutions to assess service-provider controls, monitor compliance, and respond promptly to suspected incidents. As attacks increasingly pivot through widely deployed security and IT products, similar lawsuits are likely to continue testing what “reasonable” security and vendor due diligence look like—and how much compensation courts will view as appropriate for the real-world costs and risks consumers bear after a breach.