Gravity Payments Breach Exposes 2,278 via Third-Party CRM Flaw

Gravity Payments Discloses Breach Affecting 2,278 Individuals

Gravity Payments, Inc., the Boise, Idaho-based credit card processing and financial services firm, has disclosed a data breach affecting 2,278 individuals. The company filed a breach notification with the Maine Attorney General on February 4, 2026, revealing that a vulnerability in a third-party service provider's software allowed an unauthorized actor to access files containing personal information.

The breach traces back to August 2025, when Gravity's CRM vendor informed the company that an attacker had exploited a flaw in its platform. The incident adds to a growing body of evidence that third-party vendor risk remains the single most persistent threat facing payment processors and financial services firms.

Gravity Payments is best known publicly for its CEO's 2015 decision to set a $70,000 minimum salary for all employees. In the payments world, the company provides credit card processing, point-of-sale solutions, and related financial services to small and mid-sized businesses. That business model requires Gravity to collect and store sensitive personal and financial information, which makes incidents like this one particularly consequential for downstream clients and their customers.

Timeline of Events

The timeline in this breach is worth examining closely, because the gap between initial compromise and consumer notification tells a familiar story in the payments sector.

On or around August 22, 2025, Gravity Payments learned of the incident when a third-party service provider reported that a vulnerability in its software had been exploited. An unauthorized actor gained access to certain files belonging to Gravity that were stored within the provider's customer relationship management (CRM) platform.

Gravity states that it immediately launched an investigation, engaging third-party cybersecurity experts. The company also permanently revoked the service provider's access to its data and notified law enforcement.

January 15, 2026 marks the date Gravity completed its review of affected files and confirmed which individuals had personal information exposed. The February 4, 2026 Maine AG filing followed roughly three weeks later.

That puts the total timeline at approximately 167 days from discovery to notification completion. While Maine's breach notification statute (10 M.R.S. Section 1348) requires notification "as expediently as possible and without unreasonable delay," the law does allow for delays related to investigation scope. The five-month window between discovery and notification, though not unusual for breaches requiring document-level review, will draw scrutiny from regulators evaluating whether Gravity acted with appropriate urgency.

What Data Was Exposed

The breach notification letter uses templated language for the specific data fields, listing "name and [Extra2]" as the exposed information. This template structure means that different individuals may have had different data types compromised, a common pattern when attackers access CRM systems containing varied record types.

Given that Gravity is offering Experian credit monitoring and identity restoration services to affected individuals, the exposed data almost certainly extends beyond names alone. When companies provide credit monitoring, it typically signals that the breach involved Social Security numbers, financial account numbers, or other data that enables identity theft or account fraud.

For payment processors, the data stored in CRM platforms can include merchant identification numbers, banking details for settlement accounts, contact information for business owners, and in some cases tax identification numbers tied to merchant onboarding. Even a limited exposure from a CRM system can hand attackers the building blocks for targeted business email compromise (BEC) schemes, fraudulent account changes, or social engineering attacks against the merchants themselves.

How the Attack Happened

The breach originated not within Gravity's own infrastructure but through a vulnerability in software operated by an unnamed third-party CRM provider. According to the notification, an unknown actor exploited this flaw to access files belonging to Gravity that were stored on the provider's platform.

This pattern is strikingly similar to what we tracked in the Marquis Software Solutions breach, where an unpatched vulnerability in a vendor's network appliance gave the Akira ransomware gang access to data from over 80 financial institutions. In both cases, the financial services company's own network was not directly compromised. The attack surface was the vendor.

The payments industry is particularly vulnerable to this type of supply chain attack because processors routinely share sensitive data with multiple service providers for CRM, underwriting, compliance monitoring, and merchant onboarding. Each integration point represents a potential entry vector. We have tracked similar third-party compromise patterns affecting firms like Continental Casualty Company (CNA) and 1st MidAmerica Credit Union, both of which disclosed breaches in January 2026 linked to external system compromises.

Gravity's decision to permanently revoke the third-party provider's access is a strong remediation step, but it raises an operational question: what system replaced the CRM, and was data migration handled securely?

Who Is Affected

The Maine AG filing lists 2,278 individuals as affected, including an unspecified number of Maine residents. Gravity Payments operates nationally, serving merchants across the United States, so the affected population likely spans multiple states.

The individuals notified could include business owners who onboarded as Gravity merchants, employees whose information appeared in CRM records, or end consumers whose data was captured through payment processing relationships. Given that Gravity's CRM would contain merchant relationship data, many of those affected are likely small business owners, a population that often lacks dedicated fraud monitoring resources.

Gravity is headquartered at 110 N 27th St, Boise, ID 83702, and the notification letter directs recipients to a dedicated assistance line at 833-931-5050.

Regulatory and Legal Implications

Payment processors occupy a unique position in the regulatory framework. Unlike banks and credit unions that answer primarily to federal prudential regulators, payment processors face a patchwork of state-level oversight, card network rules, and federal regulations that apply based on their specific activities.

Under the Gramm-Leach-Bliley Act (GLBA), Section 501(b), financial institutions, including payment processors that handle consumer financial data, must implement safeguards appropriate to the sensitivity of the information they maintain. The FTC Safeguards Rule provides specific requirements for non-bank financial institutions, including risk assessments that must account for third-party service provider arrangements.

The PCI Data Security Standard (PCI DSS) also applies directly to Gravity's operations. PCI DSS Requirement 12.8 mandates that entities maintain policies and procedures for managing service providers, including written agreements acknowledging the provider's responsibility for securing cardholder data. If the CRM vendor had access to any cardholder data environment (CDE) information, the breach could trigger PCI compliance review and potential penalties from card networks.

State attorneys general in Maine and the other states listed in the notification letter, including Connecticut, New York, New Jersey, Massachusetts, and Oregon, each have independent authority to investigate and enforce their breach notification statutes. New York's SHIELD Act, for example, imposes specific data security requirements on any company holding private information of New York residents, regardless of where the company is based.

For the broader payments industry, this incident is another data point supporting increased regulatory focus on third-party risk management. The FFIEC's guidance on technology service providers has consistently emphasized that financial institutions cannot outsource accountability for data protection. Firms that rely on third-party CRM systems must ensure those vendors undergo regular security assessments and maintain contractual obligations around vulnerability management and incident notification.

The Bigger Picture

The Gravity Payments breach is modest in scale, 2,278 records is far smaller than the mega-breaches that dominate headlines. But the incident pattern it represents is anything but minor. Third-party compromises now account for a significant and growing share of breaches across the financial sector. The 2025 Verizon Data Breach Investigations Report found that supply chain interconnection was a factor in 30% of breaches, double the rate from the prior year.

Our breach tracker shows a steady stream of financial services firms disclosing incidents linked to vendor compromises in late 2025 and early 2026. From insurance carriers to credit unions to payment processors, the attack surface that matters most is often the one the organization does not directly control.

The FBI's Internet Crime Complaint Center (IC3) has flagged business email compromise and vendor impersonation as top threats to financial services firms. When attackers gain access to CRM data, specifically the names, contact details, and business relationships stored within, they acquire exactly the intelligence needed to execute convincing BEC campaigns or redirect payment flows.

For payment processors, this risk is amplified by the volume of financial data flowing through their systems daily. A compromised CRM does not just expose static records; it can reveal transaction patterns, merchant relationships, and operational details that make follow-on attacks more targeted and more credible.

The FS-ISAC has repeatedly urged financial services firms to treat vendor risk management as a board-level concern, not a checkbox exercise buried in procurement workflows.

Action Items

If you are a Gravity Payments merchant, business partner, or received a notification letter, take these steps immediately:

1. Enroll in the Experian credit monitoring offered by Gravity within the 90-day window. Visit experianidworks.com/1Bcredit and use the activation code from your letter.

2. Place a fraud alert or credit freeze with all three bureaus (Equifax, Experian, TransUnion). A freeze is stronger than an alert and prevents new accounts from being opened in your name without explicit authorization.

3. Monitor your business accounts closely. If you are a merchant, review settlement account activity, watch for unauthorized changes to your banking details on file with Gravity, and confirm that no fraudulent ACH or wire instructions have been submitted.

4. Be alert for targeted phishing. Attackers who obtained CRM data may impersonate Gravity Payments or reference your business relationship in follow-up emails or calls. Verify any communication requesting account changes through a known, trusted phone number.

5. Review your own vendor management practices. If your business shares sensitive data with third-party platforms, confirm what data they hold, where it is stored, and whether their security posture has been assessed within the past 12 months.

6. File a complaint with the FTC at identitytheft.gov if you discover any signs of identity theft or account fraud.

7. Document everything. If regulatory inquiries or litigation follow, having a clear record of the notification you received, the steps you took, and any suspicious activity you observed will be essential.