Check City is only now notifying more than 320,000 check-cashing customers that their Social Security numbers, driver’s licenses, and financial account information were exposed in a March 2025 cyberattack tied to the Cl0p gang.

The loan servicing company, Check City Partnership – also known as CCI Financial, Inc. – is now notifying all 322,687 affected customers that reams of sensitive data were stolen from its network more than a year ago. The breach was claimed by the notorious Cl0p ransomware gang in 2025.

“On or about April 3rd, 2025, we observed a network disruption event as a result of unauthorized access to our network,“ the company said in a data breach notice first being sent to customers this past month.

Check City offers an array of loan servicing options, including payday loans, installment loans, personal loans, and title loans, according to its website. Other services advertised by the community-centered fintech provider include check cashing, Netspend cards, tax services, and money transfers.

Although Check City does not publicly disclose how many customers use its services, the Brookings Institution states that annually, roughly 12 million Americans utilize payday loan services for cash advances.

Check City waited a year to alert customers

The letter – notably dated September 10th, 2025, presumably when it was first written – clarifies that Check City networks were hacked in last March.

“Upon learning of the issue, we secured our network, reported the incident to law enforcement, engaged legal counsel, and commenced a prompt and thorough analysis in coordination with external cybersecurity professionals experienced in handling these types of incidents,” the company said.

After finishing a review of impacted files on August 11th, 2025, Check City says it determined an unauthorized individual or individuals "may have accessed and/or removed" customers’ personal information “on or about March 21st, 2025.”

"Finance companies are a prime target for hackers due to the amount of sensitive data they hold. And this attack on Check City is a prime example,” says Rebecca Moody, Head of Data Research at Comparitech.

“With 322,000 people impacted, this is one of 2025's most significant ransomware breaches, being the second largest on a finance company and the 17th largest across all sectors in the US,” Moody points out.

Moody also says it's concerning that Check City waited a year to alert customers about the breach.

“I'm unaware of any notifications appearing on Check City's website prior to these letters being issued, meaning people involved may only just be becoming aware their data had been implicated,” she said.

What data the hackers may have accessed

With nearly 60 brick-and-mortar store locations across Utah and Nevada – including Salt Lake City and Las Vegas – the “quick cash” company also services online customers in 14 other states, including Alabama, Alaska, California, Louisiana, Mississippi, Ohio, Oklahoma, Wisconsin, and Wyoming.

At least 500 Californians have been impacted, as well as 3,459 Texans, according to a March 20th data breach report filed by the Texas State Attorney General.

Records also show Check City began notifying some impacted individuals in September 2025, though broader notices to the full number of affected customers are only being sent now.

According to the Texas AG’s office, compromised personal information includes:

• Name of individual
• Address
• Social Security number information
• Driver’s license number
• Government-issued ID number (e.g. passport, state ID card)
• Financial information (e.g. account number, credit or debit card number)
• Date of birth

Although Check City says that “To date,” it has no evidence that the accessed customer data has been used to commit financial fraud or identity theft,” stolen personal and financial information can still surface later in phishing schemes, account fraud, or other identity-based scams.

However, the Cl0p ransomware group claimed Check City on its dark leak blog in 2025, around the same time it launched a campaign of cyberattacks exploiting the Cleo file transfer software.

According to the Cl0p victim blog, the gang claimed to have published a cache of Check City files at least two times, with one entry stating the full data set was linked on Tor, and another entry claiming to have leaked a smaller set of secret files.

This means the likelihood of stolen customer data circulating on the dark web and in hacker forums to be used for subsequent attacks, not only by Cl0p but also other cybercriminals, is almost a guarantee.

“If you interacted with Check City, your information was likely hacked by cybercriminals,” says Cole and Van Note, the attorneys representing potential victims of the breach.

The law firm warns the attackers can use that stolen data to “open accounts in your name, file for your tax return, take your identity, contact your employer, mess up your credit, and more.”

What affected customers should do now

Check City says customers should take advantage of the complimentary identity monitoring services, which include credit monitoring, fraud consultation, and identity-theft restoration.

Moody says, “It's imperative that anyone involved takes up Check City's offer of free credit monitoring services and goes back through their accounts to see if there has been any unauthorized activity since the breach."

Cole and Van Note also say affected customers should immediately take the following steps to help protect themselves from future attacks.

• Review Your Breach Notice
• Enroll in credit monitoring services
• Change passwords and security questions for all online accounts
• Monitor accounts by regularly checking statements and credit reports for signs of fraud
• Request a “Fraud Alert” by contacting credit bureaus to add a temporary alert to your credit file

“We apologize for any inconvenience or concern this may cause. We have taken this matter very seriously and hope you will take advantage of the services offered,” Check City said.

---

Unlock more exclusive Cybernews content on YouTube.