On May 5, 2026, the parties in In re Doxim, Inc. Data Security Incident Litigation (E.D. Mich. June 13, 2024), filed a proposed $5.5 million class action settlement arising from a cyber incident involving Doxim, a software provider serving credit unions, wealth management service providers, and banking sectors in the United States and Canada.
Doxim detected suspicious activity on December 30, 2023, in the part of its network supporting credit union services. It later determined that files had been removed from its network and that those files included names, mailing addresses, account numbers, and/or Social Security numbers. Doxim began notifying affected individuals on approximately May 31, 2024.
In the litigation that followed, Plaintiffs alleged that Doxim failed to implement and maintain reasonable safeguards, failed to comply with industry-standard data security practices, failed to properly train employees, failed to timely detect the unauthorized access, and failed to timely notify impacted individuals. The proposed settlement class includes 1,100,911 individuals identified by Doxim’s records.
The case illustrates how a vendor incident can become a customer-data incident. If a service provider processes, stores, or transmits sensitive customer information, a breach at the service provider can still affect the organization’s customers and create risk around whether reasonable safeguards were in place, whether the vendor followed industry-standard security practices, whether employees were properly trained, and whether unauthorized access was timely detected and disclosed. For organizations using vendors to handle sensitive customer data, the diligence question is not only whether the vendor can perform the service, but whether it has appropriate safeguards for the data it receives.