Venice, Florida-based Bitcoin ATM operator Byte Federal, Inc. disclosed in December 2024 that a cyberattack two months earlier had compromised the personal data of approximately 58,000 customers. The breach, traced to an exploited vulnerability in GitLab, exposed some of the most sensitive categories of personal information: Social Security numbers, government-issued identification documents, photographs, and transaction records.
A class action lawsuit followed, and a preliminary settlement received court approval in April 2025. Affected individuals may claim up to $3,080 in compensation.
Case Information
The Breach
On September 30, 2024, an unauthorized actor gained access to one of Byte Federal's servers by exploiting a vulnerability in GitLab, the software development platform used by the company. Byte Federal did not discover the intrusion until November 18, 2024 — nearly seven weeks later.
Data exposed in the breach:
- Full names and dates of birth
- Social Security numbers
- Government-issued identification documents (driver's licenses, passports)
- Photographs
- Email addresses and phone numbers
- Physical addresses
- Transaction activity and history
Upon discovering the breach, Byte Federal stated that it immediately shut down the affected platform, isolated the attacker, and secured the compromised server. The company noted that no customer funds or digital assets were compromised in the incident.
Data breach notification letters were sent to affected individuals on December 12, 2024.
Timeline
Class Action Settlement
The class action, captioned Fisher et al. v. Byte Federal, Inc., was filed in the 17th Judicial Circuit of Broward County, Florida. The lawsuit alleged that Byte Federal failed to implement adequate cybersecurity measures to protect customer data.
A preliminary settlement received court approval on April 20, 2025. Byte Federal has not admitted wrongdoing as part of the settlement.
What Affected Customers Can Claim
Class members who file a timely claim may receive:
- Up to $3,000 for documented out-of-pocket losses, including fraud charges, identity theft costs, credit repair expenses, and professional fees
- Up to $80 for time spent responding to the breach (up to 4 hours at $20/hour)
- Two years of credit monitoring services, including dark web scanning, identity theft insurance ($1 million coverage), real-time credit monitoring, public record monitoring, and fraud resolution assistance
The claim deadline is August 19, 2025. The opt-out deadline is August 4, 2025. The final approval hearing is scheduled for September 3, 2025. Settlement details are available at ByteDataIncident.com.
Trust Score Impact
Byte Federal's trust score on bitcoinatm.news has been downgraded from A+ (90) to C (65) following the data breach disclosure and class action. The downgrade reflects the severity of exposing SSNs and government IDs for 58,000 customers, compounded by the pending Missouri AG Civil Investigative Demand issued in January 2026.
The company's hardware and software differentiation — American-made ATMs, Lightning Network support, and non-custodial wallet options — remain genuine strengths. However, the breach raises questions about whether the same commitment to product quality extended to cybersecurity infrastructure.
Industry Context
Bitcoin ATM operators collect extensive personal information as part of federal and state Know Your Customer (KYC) requirements. This includes government-issued IDs, Social Security numbers, and photographs — data categories that create significant risk if compromised. The Byte Federal breach highlights the tension between regulatory compliance requirements that mandate data collection and the cybersecurity burden of protecting that data.
The breach also comes at a time of heightened regulatory scrutiny across the Bitcoin ATM industry. Multiple state attorneys general have launched investigations into Bitcoin ATM operators, including a Missouri AG investigation that issued Civil Investigative Demands to Byte Federal and other operators in January 2026.