Duke Energy has settled a class-action lawsuit over a data breach last year which exposed personal information to cybercriminals, according to court documents filed in the U.S. District Court for Western North Carolina.

The May 2024 data breach impacted thousands of customers of the Charlotte-based company, The Charlotte Observer reported in January. The case, with Matthew Saunders of St. Petersburg, Florida, as lead plaintiff, was filed in December.

Terms of the settlement were not disclosed in the latest filings. There were at least 100 class members with total combined claims of over $5 million, according to the complaint.

Tuesday’s actions came after both sides told the federal court in March that they had reached a deal. Duke Energy also reached settlements in six other cases in the data security incident, according to court records.

Saunders dropped all claims he brought against Duke Energy, according to a joint filing by both parties on Tuesday.

Some of the information compromised in the data breach included names, account numbers, emails, Tax IDs and Social Security numbers, court records show. The information was used by cybercriminals who sold information to identity thieves, according to court records.

Duke Energy said the claims were baseless and the company is satisfied to have the cases resolved and dismissed, spokeswoman Valerie Patterson said in a statement to the Observer.

“As we communicated to the customers who were potentially impacted by this incident, our thorough investigation revealed that no customer’s personally identifiable information, as defined by state law, was exposed,” Patterson said.

Duke Energy said it takes the security of its customers’ information seriously and is providing free credit monitoring and identity theft protection services to eligible customers that may have been impacted by this incident.

“We are pleased that many of our customers have accepted this offer,” Patterson said.

Attorneys for both parties did not respond to requests for comment Thursday from the Observer.

About the Duke Energy data breach case

Lawyers for the plaintiffs accused Duke Energy of lacking adequate cybersecurity to protect customers from cyberattacks.

They also alleged the company maintained, used, and shared personal information in a “reckless’”manner tightened and that Duke Energy transmitted personal information in a way vulnerable to cyberattacks.

Data thieves engaged in identity theft and fraud because of the breach. This included the opening of new financial accounts, taking out loans, obtaining government benefits and acquiring driver’s licenses using victims’ names but with different pictures, according to court records.

Concerns also arose about thieves committing future crimes and victims having to purchase monitoring services to protect against identity theft.

Duke Energy notified data breach victims in December about the incident through email.

More on Duke Energy

Duke Energy is one of the country’s largest energy companies. It serves 8.6 million customers in the Carolinas, Florida, Indiana, Ohio and Kentucky, according to Duke Energy’s website. Its natural gas utilities serve an additional 1.7 million in several states.

The company employs 26,000 people.

©2025 The Charlotte Observer. Visit at charlotteobserver.com. Distributed by Tribune Content Agency, LLC.