Check City Partnership this week confirmed it notified 322,687 people about a March 2025 data breach that compromised the following personal info:
- Names
- Social Security numbers
- Government-issued ID number (e.g. driver’s license, passport)
- Financial account numbers
- Credit and debit card numbers
- Dates of birth
- Addresses
A cybercriminal group called Clop on May 9, 2025 took credit for breaching the payday loan company on its data leak site. To prove its claim, Clop posted sample images of what it says are documents stolen from Check City.
Check City Partnership has not acknowledged Clop’s claim and Comparitech cannot independently verify it. We do not know if Check City paid a ransom, how much Clop demanded, or how attackers breached the company’s network.
Comparitech contacted Check City Partnership for comment and will update this article if it replies.
“On or about April 3, 2025, we observed a network disruption event as a result of unauthorized access to our network,” says Check City’s notice (PDF) to breach victims.
“Through the analysis, it was determined that some of our files may have been accessed and/or removed by the unauthorized individual(s) on or about March 21, 2025.”
Check City is offering eligible victims free credit monitoring and identity theft restoration through Kroll.
Who is Clop?
Clop, or Cl0p, is a high-profile ransomware group that first surfaced in 2019. It specializes in exploiting zero-day software vulnerabilities, most recently in Oracle’s E-Business Suite and the Cleo file transfer software. Cl0p targets any organization using the vulnerable software. Like some other ransomware groups, Clop doesn’t always encrypt files. Instead, it steals data and then demands a ransom to not publish or sell it.
Clop has claimed responsibility for 457 ransomware attacks since it began, 37 of which were confirmed by the targeted organizations. The confirmed attacks compromised more than 4.1 million personal records.
This attack on Check City is Clop’s second-largest breach to date after the University of Phoenix, which notified 3.5 million people.
More recently, Clop said it breached health insurer Humana.
Ransomware attacks on US finance
Comparitech researchers logged 59 confirmed ransomware attacks on US financial companies in 2025, which compromised more than 1.1 million personal records. The attack on Check City is the second-largest to date after Akira’s hack of Wakefield & Associates in January 2025, which notified 372,000 breach victims.
Other such recently confirmed attacks include:
- Michael Larson & Co reported a January 2026 data breach claimed by Akira
- Mosley Click O’Brien reported a February 2026 data breach claimed by BianLian
- US Mortgage Corporation reported a May 2025 data breach claimed by SafePay
Ransomware attacks on finance companies can both lock down computer systems and steal data, though in Clop’s case, it’s likely just the latter. Infected companies that refuse ransoms can face extended downtime, permanent data loss, and putting customers at increased risk of fraud.
About Check City Partnership
Check City is a quick cash loan company offering payday loans and other services like check cashing, tax services, and money orders. It operates more than 70 locations nationwide.
