An Everett-based Fluke Corp. employee has slapped the industrial-testing manufacturer with a federal class-action lawsuit, claiming the company failed to safeguard workers’ personal data after a 2025 cyber intrusion that exposed sensitive files for months. The complaint says roughly 18,517 people, including employees and other business partners, had Social Security numbers, birth dates and disability self-identification data exposed.
Fluke told affected individuals in a written notification that a criminal actor exploited a vulnerability in a third-party business application and accessed a limited segment of its network from Aug. 10 to Oct. 7, 2025. The company says it discovered the activity on Sept. 29, 2025 and completed its data forensics analysis on May 8, 2026, according to Fluke.
The class action, filed June 5 in U.S. District Court in Seattle, alleges Fluke dragged its feet on notifying employees and failed to properly monitor its network, as reported by HeraldNet. The complaint says the notice letters left out key details, including who the cybercriminals were, which third-party application was exploited and what steps were taken to prevent a repeat incident. The plaintiff also claims an uptick in unwanted calls, texts and emails after receiving the company’s notice, according to court filings.
What Fluke Told Workers
In its notice, Fluke says it hired outside cybersecurity and forensics firms, expelled the intruder, patched the affected third-party application and reset administrative passwords to secure systems. The company is offering two years of identity-theft protection and credit monitoring through Epiq/Equifax and has provided a call center and an activation code for enrollment, according to Fluke.
Timeline And Scope
State breach filings list 18,517 people as potentially affected and show Fluke began mailing written notification letters on May 15, 2026. The filings and notice letters say the exposed data included names, Social Security numbers, dates of birth and an indicator of whether someone self-identified as having a disability, according to the Maine Attorney General.
Legal Angle
The complaint seeks monetary relief, company-funded security upgrades, future audits and longer-term credit monitoring paid for by Fluke instead of the 24 months the company offered, according to HeraldNet. The case is in its early stages in the Western District of Washington and could open the door to detailed discovery on how quickly Fluke detected, contained and reported the intrusion.
Ransomware And Vendor Risk
Security trackers and privacy outlets have noted that the Clop ransomware group listed Fluke on a dark-web leak site, though Fluke has not publicly confirmed that claim. Researchers say the incident stemmed from an exploited third-party application, a common attack route that can turn a vendor’s software into an entry point for criminals, according to Comparitech. The episode highlights how supplier or vendor software vulnerabilities can widen a company’s exposure and slow down notification timelines.
What Affected Workers Should Do
If you received a Fluke notice, hang on to the letter and activation code and consider enrolling in the identity-protection service the company is offering while you keep an eye on credit reports and benefit statements for anything suspicious. Consumers can place a fraud alert or freeze their credit and can file an identity-theft report that generates a recovery plan at IdentityTheft.gov. State filings say Fluke’s notice also lists a dedicated call center for questions. If litigation moves forward, affected people should retain notice letters and any records of fraud or nuisance contacts, since those can become important evidence in legal claims or in reports to regulators.
