The Non-Financial Ledger: What This Actually Costs You

There is a word in the breach notification letter that should stop you cold: biometric. Best Collateral is not just telling you that someone may have your Social Security number or your driver’s license number. They are telling you that someone may have your fingerprints, your retina scan, your palm print, or whatever physical identifier you gave them. And here is the thing about your body: you only get one.

A Social Security number is a nine-digit string. It is horrible when someone steals it, but in some circumstances it can be flagged, monitored, and managed. A password can be reset. A credit card number can be cancelled and reissued. A biometric data point cannot. Your fingerprints are your fingerprints for your entire life. If an attacker now holds a digital template of your fingerprint and uses it to defeat a biometric security system, there is no “change your fingerprint” button you can press. The damage is not temporary. It is not measurable in months. It is the rest of your life.

Think about the population of people who are customers of a collateral lender. These are not people with abundant financial cushions. People who use collateral lending services are often doing so because traditional credit is inaccessible to them. They came to Best Collateral in a moment of financial strain and gave over their most personal identifying documents: their driver’s license, their biometric data, their military ID if they served their country. They trusted this company with the documents that say, definitively, who they are. In return, they received a form letter with a missing custom field in the subject line, a deadline, and an apology.

The 24-day gap between discovery and confirmation is its own wound. From January 17 to February 10, 2025, investigators were piecing together what happened while affected individuals had no idea. During those 24 days, any stolen Social Security number could have been used to open a fraudulent account, file a false tax return, or apply for government benefits in someone else’s name. Anyone whose military identification number was taken is facing a distinct and serious set of risks involving federal benefits and military records. And anyone whose health insurance policy information was exposed may face fraudulent medical claims filed in their name, a form of identity theft that is notoriously difficult to detect and correct.

Best Collateral’s offer of 12 months of credit monitoring is a gesture that deserves to be named for what it is: a 12-month subscription to a service that will tell you after the fact that something bad has already happened. Credit monitoring does not stop identity theft. It notifies you of it. That is the corporate equivalent of installing a smoke alarm in a house that is already burning and calling it fire protection.

The notification letter itself carries its own indignity. The subject line reads: “Subject: Notice of Data <Custom Field 1>” — an unfilled mail-merge placeholder sent to real people dealing with a real crisis. The salutation uses merge tags. The enrollment code for the free monitoring service is listed as “<UniqueCode>” in the template. This is the document Best Collateral composed to tell you that your most sensitive personal information may be in the hands of criminals. They could not be bothered to quality-check the mail merge before sending it.

Legal Receipts: What They Actually Said

The breach notification letter sent by Best Collateral, Inc. in March 2025 is the primary source document. The following are direct, verbatim quotes from that letter, followed by analysis of what each one reveals or admits.

“On or around January 17, 2025, we discovered suspicious activity within our network and immediately initiated an investigation of the matter.”

• The phrase “on or around” tells you Best Collateral does not have a precise timestamp for when they first noticed the intrusion. This vagueness matters because the longer it takes to detect a breach, the more data an attacker can extract.
• The word “immediately” is doing a lot of work here. It is meant to make the company look responsive. What it does not tell you is how long the attacker had already been inside the network before this discovery.

“As a result of the investigation, on or about February 10, we determined that certain files that contained personal information may have been acquired from our network without authorization.”

• There is a 24-day gap between January 17 (discovery) and February 10 (confirmation). During that entire window, affected customers received no warning. They had no opportunity to freeze their credit, monitor their accounts, or take any protective action.
• The word “may” appears throughout this letter wherever Best Collateral describes what was taken. This is legal hedging. It limits the company’s admission of liability while still triggering the legal obligation to notify. Customers are left in the ambiguous position of not knowing with certainty whether their specific data was in the compromised files.

“Please note that we have no evidence of the misuse, or attempted misuse, of any potentially impacted information.”

• This statement is designed to be reassuring. It should not be. “No evidence of misuse” means exactly what it says: the company has not yet detected confirmed fraud linked to this breach. It does not mean misuse has not occurred. Dark web markets operate with anonymity. Stolen data is often held for months before it is deployed, specifically to outlast the monitoring window that companies like Best Collateral typically offer (in this case, 12 months).
• Biometric data in particular has no immediate-use timeline. A stolen fingerprint template can be weaponized whenever a criminal finds a system that relies on it. The company’s statement of “no evidence” is temporally limited in a way that the actual risk is not.

“It may have included your name, health insurance policy information, and/or Social Security numbers. If you have been a customer, the information may have included your name, driver’s license number, biometric information, and/or military identification number.”

• This passage distinguishes two populations: people who received the general notification and people who were specifically customers. The use of “and/or” across every category means Best Collateral has not, or cannot, specify which data types apply to which individual recipient. Every person reading this letter must assume the worst-case scenario because the company has not told them anything more precise.
• The inclusion of “biometric information” in the customer-specific category is the most alarming disclosure in the entire letter. Most data breaches involve information that can, with effort and inconvenience, be changed or flagged. Biometric data cannot. This single line makes this breach categorically more serious than a typical credential theft incident.

“Subject: Notice of Data <Custom Field 1>”

• This is the literal subject line of the breach notification as it appears in the document template. The merge field that was supposed to populate the type of notice (for example, “Security Incident”) was never filled in. Best Collateral sent a form letter to people whose most sensitive personal data had been stolen, and did not proofread it before sending.
• This is not a minor clerical error in context. It signals the level of care and attention the company applied to one of its most important legal and ethical obligations. If this is the quality of their communication under scrutiny, it raises reasonable questions about the quality of the security practices that existed before the breach.

Societal Impact Mapping

Health insurance data exposure creates a specific and serious pathway for medical identity theft that harms people in ways that reach far beyond their bank accounts.

• Fraudulent medical claims filed under a stolen health insurance policy can exhaust a victim’s annual or lifetime policy benefits, leaving them without coverage when they actually need medical care.
• Medical records corrupted by someone else’s fraudulent treatment can introduce false diagnoses, allergies, or medication histories into a victim’s file. This can lead to dangerous clinical errors during future medical treatment.
• Correcting medical identity theft requires victims to navigate a complex and time-consuming dispute process across healthcare providers, insurance companies, and credit bureaus simultaneously, often at personal expense and without guaranteed resolution.
• Military personnel and veterans whose military identification numbers were exposed face an elevated risk of fraudulent claims related to military health benefits, the VA system, and service-related compensation programs.

The customers of a collateral lender are disproportionately people who already face barriers to mainstream financial services. This breach targets a population with the fewest resources to absorb the consequences.

• Identity theft recovery is time-intensive and financially costly. Victims must purchase credit locks, consult attorneys, file disputes, and in some cases take time off work to resolve fraudulent accounts. People with lower incomes bear this burden at a higher cost relative to their means.
• Fraudulent accounts opened with a stolen Social Security number can tank a victim’s credit score, cutting off access to housing, employment background checks, and utility services. For people who were already credit-constrained, this can be catastrophic.
• The 12 months of credit monitoring offered by Best Collateral expires. After that window closes, victims who cannot afford paid monitoring services are left unprotected, while the stolen data retains its value and usefulness to criminals indefinitely.
• The enrollment process for the free monitoring requires an internet connection and an email account, and is explicitly unavailable to minors under 18. Individuals without reliable internet access or who are below 18 cannot access even the minimal protection being offered.
• Social Security numbers obtained in this breach can be used to file fraudulent tax returns, potentially delaying or diverting legitimate tax refunds that lower-income households depend on. The IRS identity theft resolution process can take over a year.

What Now? Steps That Actually Protect You

Best Collateral’s letter was signed by Robert E. Verhoeff, President of Best Collateral, Inc. The company is offering minimal monitoring. You need to go further, and you need to go further now.

Immediate Actions

• Place a security freeze on your credit with all three bureaus (Equifax, Experian, and TransUnion), not just a fraud alert. A freeze is stronger. It blocks new credit from being opened in your name without your PIN. It is free by law. Do this before you do anything else.
• File your taxes as early as possible this season. Stolen Social Security numbers are frequently used to file fraudulent tax returns and claim refunds before the real filer submits. Early filing defeats this attack.
• Contact your health insurance provider directly and ask them to flag your account for suspicious claims. Request a record of all claims filed in your name in 2025. You have the right to this information.
• If you are a veteran or active military and your military ID number was exposed, contact the Defense Finance and Accounting Service (DFAS) and your branch’s personnel office to flag your record for potential misuse.
• Enroll in the TransUnion monitoring offered by Best Collateral, but treat it as a floor, not a ceiling. The enrollment deadline is 90 days from the date on the letter. Use the code provided in your individual letter.
• After the 12-month free period ends, look into the credit bureaus’ free annual credit report options at annualcreditreport.com. You are entitled to one free report from each bureau per year by law under the Fair Credit Reporting Act.

Regulatory Watchlist

• Federal Trade Commission (FTC): Report identity theft at identitytheft.gov. The FTC creates a personalized recovery plan and provides official documentation for disputing fraudulent accounts. Phone: 877-438-4338.
• Consumer Financial Protection Bureau (CFPB): If financial institutions mishandle fraud claims or credit disputes resulting from this breach, file a complaint with the CFPB at consumerfinance.gov/complaint.
• Your State Attorney General: Data breach notification laws vary by state, and your state AG may have enforcement authority over Best Collateral’s disclosure timeline and obligations. The California AG is specifically listed in the breach letter at oag.ca.gov/privacy.
• Federal Bureau of Investigation (FBI): Best Collateral states it has notified the FBI. You can also report cybercrime independently at ic3.gov, the FBI’s Internet Crime Complaint Center.
• Fair Credit Reporting Act (FCRA): You have legally guaranteed rights to know what is in your credit file, to dispute inaccurate information, and to have it corrected. Exercise these rights directly with the bureaus if fraudulent activity appears.

Collective Action

• Connect with your neighbors, family members, and community groups about placing credit freezes. This information is not widely known, and helping one person do it protects everyone in their financial network from downstream fraud.
• Mutual aid networks and community legal aid organizations can help low-income individuals navigate identity theft disputes without paying for private attorneys. Search for legal aid in your state or contact your local bar association’s referral service.
• Push your elected representatives to support stronger biometric data protection laws. Once your fingerprint data is stolen, no notification letter, no monitoring service, and no settlement check makes you whole. The only real solution is laws that prevent companies from retaining biometric data longer than necessary and that impose meaningful penalties when they fail to secure it.