Stellantis Left Your Social Security Number on the Table
A ransomware gang stole 1 terabyte of customer data from Chrysler’s parent company on Christmas Day 2025. A new class action says the company knew the risks and still did nothing.
On Christmas Day 2025, the ransomware group Everest broke into Chrysler/FCA’s servers and walked out with 1 terabyte of customer data, including Social Security numbers, dates of birth, and home addresses. When the company reportedly refused to pay a ransom, the criminals published that data for anyone to see on January 4, 2026. Tens of thousands of people who simply bought a Jeep, Dodge, Ram, or Chrysler vehicle now face a lifetime risk of identity theft. A class action lawsuit filed in January 2026 says the company failed to use basic, well-documented security measures that could have stopped the attack.
Read on to understand how a trillion-dollar auto brand failed the people who trusted it with their most sensitive information.
🚨 Somewhere in the United States, a family bought a Jeep. They handed over their Social Security number, date of birth, home address, and phone number because the law and the purchase process required it. They trusted the company on the other end of that transaction to protect what they shared. That company was FCA US LLC, the American arm of Stellantis, one of the largest automakers on earth. And according to a federal class action lawsuit, Stellantis failed them completely.
The breach happened on Christmas Day, 2025. While Americans were opening gifts, a ransomware group called Everest was inside Chrysler’s servers, copying 1 terabyte of customer data. The group then threatened to publish everything unless the company paid a ransom. When FCA reportedly refused, Everest published the stolen records publicly on January 4, 2026. Names. Addresses. Birthdays. Social Security numbers. All of it.
Inside the Allegations: What Stellantis Knew and Failed to Do
The lawsuit, filed in the Eastern District of Michigan, names FCA US LLC (doing business as Stellantis North America) as the defendant. The plaintiffs, Loria and Thomas Spadafore of Illinois, purchased a 2023 Jeep Gladiator and provided FCA with their personal information as required for the transaction. Their data is now in the hands of criminals.
The complaint alleges that FCA failed to implement basic cybersecurity measures that the industry has considered standard practice for years. The list of failures includes: no multi-factor authentication, no adequate data encryption, no data deletion protocols for information no longer needed, and no compliance with recognized frameworks like the NIST Cybersecurity Framework or the Center for Internet Security’s Critical Security Controls.
“If I have your name and your Social Security number and you don’t have a credit freeze yet, you’re easy pickings.”
Tom Stickley, Data Security Researcher, quoted in TIME magazine and cited in the court filingThese are not obscure or expensive requirements. Multi-factor authentication, the practice of requiring a second verification step beyond a password, costs little to implement and blocks the overwhelming majority of unauthorized login attempts. The complaint states plainly that FCA failed to do even this.
The Company Had Already Been Warned
This breach did not arrive without warning. The lawsuit points out that in September 2025, just months before the Christmas Day attack, Stellantis’s own parent company experienced a separate data breach in which unauthorized third parties accessed customer information through a third-party platform. Stellantis itself issued a public statement about that earlier incident.
Despite that direct warning, the lawsuit alleges that FCA still did not strengthen its defenses on the American side of the business. The Everest ransomware group found the door open.
Profit-Maximization at All Costs: Why Companies Collect This Data
FCA did not collect your Social Security number out of obligation alone. The company’s own privacy policy, cited in the complaint, describes using customer PII to “conduct research and analytics, personalize content, advertise and market to customers, and support business operations.” Customer data is a revenue tool. The company benefited financially from collecting it. The lawsuit argues that customers effectively paid for data security when they purchased their vehicles, and that FCA failed to deliver what they paid for.
💰 The unjust enrichment claim in the lawsuit frames this precisely: customers paid money for a vehicle purchase that required handing over sensitive data, with a reasonable expectation that the company would protect it. FCA collected the benefit. FCA kept the money. FCA did not secure the data.
The Real Market Value of Stolen Data
Personal data is not abstract. It trades on criminal markets. The combination of a name, a Social Security number, and a date of birth gives a thief the equivalent of a master key to someone’s financial identity. They can open credit cards, take out loans, apply for government benefits, file fraudulent tax returns, and even use a victim’s identity during a police arrest. Unlike a stolen credit card, a stolen Social Security number cannot simply be canceled. The Social Security Administration requires victims to prove ongoing harm before issuing a new number, meaning the damage must already be done before the government will act.
The Economic Fallout: A Lifetime of Vigilance, Paid for by Victims
The people affected by this breach now face costs that FCA will not pay. Credit monitoring services. Fraud alerts. Credit freezes across all three bureaus. Hours spent reviewing accounts, disputing unauthorized charges, and filing police reports. The Identity Theft Resource Center found that most victims of identity crimes spend more than a month resolving the damage, and some spend over a year.
📉 The class action seeks reimbursement for these out-of-pocket costs, as well as compensation for the diminished value of the customers’ personal information as a property right. But no legal settlement will undo the anxiety of knowing your most sensitive data is permanently circulating on the internet.
Plaintiffs and Class Members now must live with the knowledge that their personal information is forever in cyberspace, taken by people willing to use it for any number of improper purposes.
Class Action Complaint, Spadafore v. FCA US LLC, filed January 2026Corporate Accountability Fails the Public: The Legal Loopholes That Let This Happen
The United States has no single federal data protection law equivalent to Europe’s General Data Protection Regulation. Companies operating here face a patchwork of state laws, sector-specific rules, and FTC guidance that creates enormous room for negligence to go unpunished until after a breach occurs. The lawsuit cites Section 5 of the FTC Act, which prohibits unfair practices in commerce, as one legal basis for FCA’s liability. But the FTC cannot impose fines for first violations, and enforcement is slow.
The Illinois plaintiffs also invoke the Illinois Consumer Fraud and Deceptive Business Practices Act, which requires timely notification to affected residents after a breach. The complaint alleges FCA failed to notify customers promptly, compounding the harm by leaving people unaware that their data was already in criminal hands.
Legal Minimalism as Corporate Strategy
The NIST Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls are not laws. They are voluntary guidelines. Companies that ignore them face no automatic penalty. The lawsuit lists more than a dozen specific NIST controls it alleges FCA failed to meet. Each one represents a documented, well-understood, industry-accepted defense against exactly the kind of ransomware attack that hit the company on Christmas Day. None of them required specialized expertise or extraordinary investment. They required will.
This Is the System Working as Intended
🏭 FCA’s failure is not an anomaly. It is a predictable result of a system that treats consumer data protection as optional overhead rather than a legal obligation. When compliance is voluntary, and when enforcement arrives only after harm is done, the rational corporate calculation is to delay investment in security until the cost of a breach exceeds the cost of prevention. For the people whose Social Security numbers are now on the dark web, that calculation has already failed them.
Stellantis is one of the world’s largest automakers, with revenues in the hundreds of billions of dollars. The company had the resources to implement multi-factor authentication, encrypt its customer databases, and conduct regular security audits. The complaint alleges it did none of these things adequately. The gap between what the company could afford and what it actually provided is not a resource problem. It is a priority problem.
Pathways for Reform: What Would Actually Protect People
The lawsuit demands injunctive relief requiring FCA to adopt and implement real data security practices going forward. But litigation alone will not fix a structural problem. Meaningful reform requires a federal comprehensive data protection law with mandatory minimums, automatic penalties for breaches caused by negligence, and a genuine right to data deletion. Until companies face financial consequences proportional to the harm they cause, the incentive structure remains unchanged.
Individual consumers can take protective steps today. A credit freeze with all three major bureaus (Equifax, Experian, and TransUnion) is free, effective, and blocks new credit accounts from being opened in your name without your knowledge. It is the single most powerful tool available to someone whose Social Security number has been exposed.
Conclusion: The Human Cost Behind the Legal Filing
A couple in Illinois bought a truck. They signed paperwork. They handed over their Social Security numbers because the process required it, and because they trusted that the company would protect what they shared. That trust was not honored.
The class action lawsuit is not just a legal filing. It is documentation of a corporate failure that will cost real people real money, real time, and real peace of mind for years to come. The legal system may eventually provide partial compensation. It will not provide the one thing these customers actually needed: a company that took their data seriously before the breach, not after.
⚖️ Corporate social responsibility cannot mean issuing a statement after your customers’ most sensitive information ends up on a criminal marketplace. It has to mean encryption. It has to mean multi-factor authentication. It has to mean treating customer data as a liability to protect, not just an asset to exploit.
Frivolous or Serious? An Assessment of This Lawsuit
This lawsuit presents a serious, well-documented case. The plaintiffs identify a specific breach date, a named ransomware group, a specific volume of data stolen, a specific date of public publication, and a prior breach at the parent company that put FCA on notice. The security failures alleged are concrete and specific: missing multi-factor authentication, failure to encrypt data, and non-compliance with named industry frameworks. These are not vague allegations.
The legal theories (negligence, breach of implied contract, unjust enrichment, and violation of the Illinois Consumer Fraud Act) are all established and frequently litigated in data breach cases. Courts have repeatedly found standing for plaintiffs in similar cases where Social Security numbers were exposed. The presence of a second Stellantis-connected breach just months prior strengthens the “knew or should have known” element of the negligence claim significantly.
This is a serious lawsuit with a credible factual foundation.
If you purchased or leased a Chrysler, Dodge, Jeep, or Ram vehicle and provided your Social Security number during the transaction, your data may have been included in the breach. The complaint alleges the breach affected tens of thousands of customers nationwide. Monitor your credit reports and watch for notifications from FCA.
Place a credit freeze with all three major credit bureaus: Equifax, Experian, and TransUnion. A freeze is free and prevents new credit accounts from being opened in your name without your explicit authorization. You can also place a fraud alert, which requires lenders to verify your identity before extending new credit. Both steps are free and available to all Americans under federal law.
The lawsuit is in early stages and has not yet been certified as a class action. If the court certifies the class, affected customers nationwide (and an Illinois subclass) may automatically be included. You can follow the case at the Eastern District of Michigan federal court using case number 2:26-cv-10214. Consulting an attorney who handles data breach cases is advisable if you have experienced documented identity theft or fraud as a result.
Contact your federal representatives and senators and urge them to support comprehensive federal data privacy legislation that mandates encryption, multi-factor authentication, and data minimization for companies that collect consumer PII. Support state-level data protection bills modeled on the Illinois BIPA or California’s CCPA and CPRA. When companies experience breaches caused by negligence, file complaints with the FTC at reportfraud.ftc.gov. Public pressure and regulatory complaints are among the few tools that create real accountability before a breach, not after it.
The Social Security Administration requires individuals to demonstrate ongoing, documented harm from the misuse of their existing number before issuing a new one. That means the fraud and identity theft must already be happening before the government will act. This is no safety net for the many victims of this data breach. It’s instead a system that forces them to absorb the first hit before receiving any relief.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
