Customers of Union Bank and Trust Company who had personal data exposed in the 2023 MOVEit file-transfer breach can now file claims for up to $12,500 in documented out-of-pocket losses or accept a flat $100 cash payment. The filing deadline is July 21, giving affected individuals roughly seven weeks to decide which option best fits their situation. The settlement traces back to a widely exploited software flaw that hit hundreds of organizations during the spring and summer of 2023, and the bank’s breach notification is on file with state regulators.
Confirmed facts behind the settlement
The technical root of this breach is a MOVEit vulnerability, a SQL injection flaw in Progress Software’s MOVEit Transfer platform. Attackers exploited the flaw in the wild during May and June 2023, according to the federal vulnerability record maintained by the National Institute of Standards and Technology. The bug allowed unauthorized access to databases behind MOVEit Transfer instances, which many banks, insurers, and government agencies used to move sensitive files.
Union Bank and Trust Company filed a consumer breach notification with the Maine Attorney General, which hosts the notice and an accompanying PDF letter sent to affected residents. Maine requires companies to report breaches that touch its residents, and the state’s public data breach registry confirms the bank’s entry. The settlement now offers two paths: claimants who can document identity theft costs, credit monitoring fees, or other direct financial harm may seek reimbursement up to $12,500, while those without receipts or records can opt for the simpler $100 flat payment.
The broader context for this incident appears in Maine’s statewide breach reporting spreadsheet, available through the Attorney General’s public registry. That dataset lists basic information such as the reporting entity, incident type, and notification dates. Within that framework, Union Bank and Trust Company is one of many organizations that disclosed MOVEit-related exposures during 2023, underscoring how widely the underlying software flaw was exploited.
Key gaps in the public record
Several details that would help claimants make informed decisions are not available through the primary government filings. The Maine Attorney General’s breach notice confirms the incident and the consumer notification date, but it does not specify the total number of people affected, the size of the settlement fund, or the verification process for documented-loss claims. The NIST vulnerability record provides technical context about the exploit but, as expected, contains no information about financial remedies or the bank’s specific liability.
The court filing or settlement agreement text that would spell out class definitions, claim-review timelines, and fund caps has not surfaced in the primary government sources reviewed here. Without that document, it is unclear how the settlement administrator will weigh competing claims if documented-loss requests exceed available funds. Claimants considering the higher reimbursement tier should be aware that the exact payout they receive could depend on how many people file and how the administrator allocates money across the class.
Reading the available evidence clearly
Two types of evidence anchor this story, and they serve different purposes. The NIST vulnerability database entry is a primary technical record. It confirms what the flaw was, which software versions were affected, and when exploitation began. It does not speak to legal settlements or consumer compensation. The Maine Attorney General’s breach notice is a primary regulatory record. It confirms that Union Bank and Trust Company reported a data breach and notified consumers, but it functions as an administrative filing rather than a detailed claims guide.
Everything beyond those two records, including the dollar amounts offered to class members and the July 21 filing deadline, comes from settlement-related materials rather than from the federal or state databases themselves. That distinction matters for readers trying to judge reliability. Technical and regulatory filings are designed to be sparse but precise; settlement notices are drafted to meet court and consumer-notification requirements, which may emphasize eligibility and deadlines more than underlying technical facts.
What affected customers should consider
For people deciding whether to seek the $12,500 documented-loss reimbursement or accept the $100 flat payment, the main trade-off is effort versus potential recovery. Documented-loss claims require proof, such as receipts for credit monitoring services purchased after the breach, invoices from professionals assisting with identity restoration, or bank statements showing unreimbursed fraud-related charges. Gathering and submitting that evidence can take time, and there is no public confirmation that every approved claim will be paid at the full requested amount if the fund is oversubscribed.
By contrast, the $100 option is straightforward and does not depend on showing specific financial harm. It is likely to appeal to individuals who did not incur measurable out-of-pocket costs but still want some compensation for the exposure of their data and the inconvenience of monitoring accounts. However, once a claimant chooses the flat payment, they generally cannot return later and seek additional money through the same settlement for previously uncompensated losses.
Regardless of which path they choose, affected customers should pay close attention to the official settlement website or mailed notices for instructions on how to file, what documentation is required, and when payments are expected. Because the publicly available government records do not spell out these procedural details, those settlement-specific materials are the best guide for next steps. Claimants who suspect significant identity theft or fraud may also wish to consult legal counsel or a consumer-protection agency before deciding, especially if they believe their losses exceed the settlement’s reimbursement cap.
Union Bank and Trust Company’s MOVEit incident illustrates how a single software vulnerability can ripple through financial institutions and into consumers’ lives. With only limited information in public regulatory and technical databases, individuals are left to navigate the settlement process largely on the strength of court-approved notices. Understanding what is firmly documented, what remains unknown, and what trade-offs each compensation option entails can help affected customers make the most informed choice before the July 21 deadline arrives.
Warren Cohen is a finance writer based in Phoenix, Arizona, covering personal finance topics including credit, banking, and beginner investing. He earned his degree in business administration from Arizona State University and began his career working in consumer finance, where he gained direct experience with lending and credit systems. He now writes for personal finance websites and fintech platforms, focusing on clear, practical content that helps readers make informed financial decisions.
