The filing recounts how Towne later notified customers of a security issue. In a letter dated around November 13, 2025, Towne reportedly told customers it had identified “unusual activity indicating potential unauthorized access” to its network. The letter explained that, after bringing in external cybersecurity professionals and conducting “extensive forensic investigation and manual document review,” Towne determined on October 14, 2025, that certain personal information “may have been included within the impacted data that may have been copied” from its network as a result of an incident on June 7, 2025.
Barnette goes on to allege that, at the time of the incident, affected information was accessible, unencrypted, unprotected and vulnerable to acquisition and exfiltration. The filing also points to outside reports claiming that the BlackByte threat actor was behind the attack, allegedly disrupting Towne’s operations and demanding a ransom while warning that “the full leak will be published soon, unless a company representative contacts us via the channels provided.”
From there, the case focuses on what Barnette says about Towne’s overall approach to information security. He claims Towne intentionally, willfully, recklessly and/or negligently failed to implement reasonable safeguards, even though it routinely collects what the filing calls “unique and highly sensitive” data. Barnette asserts that, because of the nature of the information it holds, Towne knew or reasonably should have known it needed to follow industry standards and comply with federal and state laws on data security and breach notification.
To frame what “reasonable” security should look like, the court papers cite Federal Trade Commission publications, including “Protecting Personal Information: A Guide for Business” and “Start with Security: A Guide for Business.” They also reference the Center for Internet Security’s Critical Security Controls and CIS Benchmarks. Drawing on those materials, the filing describes widely recommended practices such as encrypting data in transit and at rest, using intrusion detection systems, monitoring for large data transfers, managing access controls, overseeing third-party vendors and limiting how long information is retained.
According to Barnette, Towne fell short of these expectations, and borrowers now face a present and continuing risk of fraud and identity theft, as well as time spent monitoring accounts, dealing with credit freezes and responding to unwanted communications. He seeks monetary damages and wide-ranging court orders that would require Towne to strengthen its information security program. Among the requested measures are independent third-party security audits, enhanced employee training, network segmentation, monitoring of the ingress and egress of network traffic, and deletion or purging of personal information unless Towne can justify keeping it.
