A newly filed putative class action in the Western District of Texas targets Bumble, Inc., over an alleged “massive and preventable” cyberattack in or around January 2026, in which attackers allegedly accessed highly sensitive user data stored in Bumble’s systems. The complaint alleges the compromised information included names, dates of birth, addresses, telephone numbers, Social Security numbers, and account numbers, as well as highly sensitive, context-rich dating data such as chat history and dating history, the kind of data combination that can heighten identity-theft risk and privacy harms. The named plaintiff alleges time loss, anxiety, and increased risk of fraud and identity theft, and seeks damages and injunctive relief on behalf of the individuals whose information was stored and/or exposed in the breach. 

For companies watching this case, the “what went wrong” allegations read like a checklist of avoidable security and communications failures. The complaint claims Bumble promised “appropriate and reasonable security measures” (including secured servers and firewalls) in its public-facing privacy policy but allegedly did not adhere to those claims. The complaint further alleges the breach occurred through a phishing attack attributed to the “ShinyHunters” threat actor group, and argues that the fact of a successful phishing compromise suggests inadequate security controls pointing to measures like organization-wide two-factor authentication and adequate employee cybersecurity training as known safeguards. The complaint also alleges that Bumble failed to properly secure and encrypt data, failed to implement timely breach detection, and failed to provide prompt and accurate notice.

The takeaway is that privacy policy statements, phishing training failures, encryption decisions, breach detection, and notification practices can quickly become central allegations in a class action when a security incident occurs. Even at this stage, this lawsuit is a reminder that aligning written privacy and security commitments with day-to-day implementation, and documenting those efforts, can be just as important as the technical controls themselves when an incident triggers litigation.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn Rattigan
Show more Show less