Corporate Accountability Project | Investigative Report | Nissan North America Data Breach
Data Breach Accountability
Nissan Exposed Its Workers.
Then Settled for Pennies.
A November 2023 cyberattack on Nissan North America compromised employees’ Social Security numbers, medical records, and personal data. The company’s response: a $1.5 million cap shared among thousands of affected workers.
π΄ HIGH SEVERITY
TL;DR
On November 7, 2023, cybercriminals gained unauthorized access to Nissan North America’s computer network and stole employees’ most sensitive personal data, including Social Security numbers, dates of birth, pay information, and medical records. Nissan failed to build the basic security infrastructure required to protect this data, and workers paid the price with their identities and financial security. The company settled a class action lawsuit for a total cap of $1.5 million, meaning most affected workers can claim a maximum of $100 each, while Nissan’s attorneys took up to $500,000 of that same fund. Nissan has admitted no wrongdoing.
This is what corporate indifference to worker safety looks like. Demand better data security protections for employees, or companies will keep treating your private information as an acceptable casualty of cutting corners on security infrastructure.
Key Numbers
$1.5M
Total settlement cap for all claims
$500K
Maximum attorneys’ fees from the same fund
$100
Max flat payment per affected worker
$4,500
Max for workers with documented extraordinary losses
Nov 7
2023
2023
Date of unauthorized network access
2 yr
Credit monitoring offered to class members
$3K
Service award per named plaintiff
$0
Admitted wrongdoing by Nissan
Core Allegations: What Nissan Failed to Do
| 01 | Nissan failed to properly secure and safeguard employees’ private information stored on its computer network, including names, Social Security numbers, dates of birth, pay information, and medical records. | high |
| 02 | On or about November 7, 2023, cybercriminals gained unauthorized access to Nissan North America’s computer network as a direct result of Nissan’s inadequate security infrastructure. | high |
| 03 | Nissan stored some of the most sensitive categories of personal data, including Social Security numbers and medical records, without adequate protection, exposing workers to identity theft and financial harm. | high |
| 04 | Workers who had entrusted Nissan with their private information as a condition of employment had no meaningful choice in how that data was stored or secured. | high |
| 05 | The breach exposed pay information alongside Social Security numbers, creating conditions where affected workers face heightened risks of tax fraud, loan fraud, and account takeover. | high |
| 06 | Medical record exposure compounds harm beyond financial risk, with potential implications for workers’ insurance coverage, employment, and personal privacy for years into the future. | high |
Profit Over People: What Security Investment Costs vs. What Negligence Costs
| 01 | Nissan settled for a total cap of $1.5 million, an amount that, for a multinational automotive corporation generating billions in annual revenue, represents a rounding error rather than a meaningful financial consequence for security failures. | high |
| 02 | Up to $500,000 of the $1.5 million settlement fund goes directly to attorneys’ fees and costs, meaning the company’s total payment toward worker harm was capped at roughly $1 million before any pro rata reductions. | high |
| 03 | Settlement administration costs, service awards, and all other overhead are also drawn from the same $1.5 million cap, further shrinking the pool available to harmed workers. | medium |
| 04 | Workers who cannot document specific financial losses from the breach are limited to a maximum alternative payment of $100, subject to pro rata reduction based on total claims submitted, meaning actual payouts may be far less. | high |
| 05 | Nissan’s security improvements after the breach, including hardened firewalls, expanded endpoint detection, and enhanced monitoring, represent investments the company chose not to make before workers’ data was stolen. | medium |
Worker Exploitation: The Power Imbalance Behind the Breach
| 01 | Employees had no choice but to provide Nissan with their Social Security numbers, medical records, and pay information as a mandatory condition of employment, giving the company exclusive control over this irreplaceable data. | high |
| 02 | Workers who suffer identity theft or financial fraud as a result of the breach bear the full burden of recovery, including the time, money, and stress of disputing fraudulent accounts, correcting tax records, and monitoring their credit. | high |
| 03 | The settlement’s pro rata payment structure means that the more workers file claims, the less each one receives. Workers who organized collectively to hold Nissan accountable are paradoxically penalized by their own participation. | medium |
| 04 | Workers who do not submit a valid claim will release all legal rights against Nissan related to the data breach while receiving zero compensation, regardless of any harm they suffered. | high |
Public Health and Safety: Medical Data in Criminal Hands
| 01 | Nissan stored medical records for certain individuals on the same network as financial and identity data, and the breach exposed all of it simultaneously to unauthorized parties. | high |
| 02 | Exposure of medical records carries consequences beyond financial fraud, including potential misuse in insurance applications, targeted phishing using health information, and violation of workers’ most intimate personal privacy. | high |
| 03 | Unlike a stolen credit card number that can be replaced, a Social Security number or medical history cannot be changed. Workers affected by this breach carry the risk indefinitely, not just for the duration of the two-year credit monitoring Nissan offered. | high |
Corporate Accountability Failures: Settlement Without Accountability
| 01 | Nissan expressly denied all wrongdoing as part of the settlement, meaning no court ever found the company liable for the security failures that led to the breach, despite thousands of workers’ data being compromised. | high |
| 02 | No individual Nissan executives faced any personal financial or legal consequences for the company’s security failures, even though decisions about security investment are made at the executive and board level. | high |
| 03 | The settlement agreement specifies that its terms cannot be used as evidence of liability in any other proceeding, meaning Nissan is effectively shielded from this breach being used against it in future legal actions. | medium |
| 04 | Workers who remain in the settlement class and do not opt out permanently release all claims against Nissan and all related entities related to the data breach, foreclosing any future legal recourse even if new harms emerge. | high |
| 05 | The security improvements Nissan implemented after the breach were characterized in the settlement as steps the company “regularly and continually” takes, framing post-breach fixes as routine maintenance rather than a direct response to negligence. | medium |
The Bottom Line: What This Case Reveals
| 01 | Corporate data breach settlements routinely cap total compensation at amounts that are trivial relative to corporate revenue, creating a financial incentive structure that makes under-investment in security rational for large corporations. | high |
| 02 | Workers who trusted a major employer with their most sensitive personal data received, at best, a one-time payment of up to $100 and two years of credit monitoring, while the harms from identity theft can last a lifetime. | high |
| 03 | Without mandatory minimum per-person settlement floors and genuine regulatory penalties for corporate data negligence, companies will continue treating inadequate data security as an acceptable business risk rather than a fundamental duty of care to their workers. | high |
Timeline of Events
Nov 7, 2023
Cybercriminals gain unauthorized access to Nissan North America’s computer network, stealing employees’ Social Security numbers, dates of birth, pay information, medical records, and other private data.
Late 2023
Nissan begins notifying affected employees that their personal information may have been compromised, and offers initial two-year credit monitoring services.
Jun 18, 2025
Class action complaint filed in Williamson County Chancery Court, Tennessee, by Thomas Taylor, Bobby Carter, Ryan Levey, and Zackary Roberts on behalf of all affected employees.
Mid 2025
Case transferred to Tennessee Business Court, heard by Davidson County Chancery Court, Part II, Chancellor Anne Martin.
Mid 2025
Parties participate in mediation with class action mediator Michael Russell of Miles Mediation and Arbitration. Settlement terms are reached.
Dec-Jan 2025-26
Settlement agreement signed by all four named plaintiffs and class counsel, with Nissan signing through Senior Director Nagireddy Kudithini.
2026
Final Approval Hearing scheduled 110 days following Preliminary Approval Order. Class members have 90 days from notice commencement to submit claims.
Direct Quotes from the Legal Record
QUOTE 1
The breach exposed the most sensitive possible categories of employee data
Core Allegations
“This Action alleges that Nissan failed to properly secure and safeguard employees’ Private Information including names, Social Security Numbers, dates of birth, pay information and medical records for certain individuals.”
π‘ This single sentence defines what Nissan was trusted to protect: the full triad of identity, financial, and medical data that criminals need to destroy a person’s financial life.
QUOTE 2
Defining the breach: unauthorized access to the full network
Core Allegations
“The Action further alleges that as a result of this failure, cybercriminals gained unauthorized access to Nissan’s computer network on or about November 7, 2023.”
π‘ The settlement document itself acknowledges the causal chain: Nissan’s failure directly enabled the cyberattack, even as the company denies legal liability.
QUOTE 3
The hard cap: total worker compensation was never allowed to exceed $1.5 million
Profit Over People
“All Claims determined to be Valid Claims shall be paid in full by Defendant up to a cap of $1,500,000.00, inclusive of all Settlement Class relief (including Credit Monitoring, attorneys’ fees and costs for all Plaintiffs’ Counsel, Service Award payments, and Settlement Administration Costs).”
π‘ This clause reveals that attorneys’ fees, admin costs, and worker payments are all in competition for the same limited pool. Workers are not the priority.
QUOTE 4
Nissan admits no wrongdoing while thousands of workers bear the consequences
Corporate Accountability Failures
“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Action, and expressly disclaims and denies any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Action.”
π‘ Nissan pays millions to make this lawsuit disappear while publicly insisting it did nothing wrong. This is the standard playbook for corporations evading accountability.
QUOTE 5
Workers lose all legal rights whether they file a claim or not
Worker Exploitation
“If a Settlement Class Member does not submit a Valid Claim, the Settlement Class Member will release his or her claims against the Released Parties without receiving a Settlement Class Member Benefit.”
π‘ Nissan wins either way: workers who file claims receive minimal compensation, and workers who don’t file still lose their right to sue. The default outcome is free legal immunity for the company.
QUOTE 6
The settlement shields Nissan from future legal exposure indefinitely
Corporate Accountability Failures
“Nothing contained in this Agreement shall be used or construed as an admission of liability, and this Agreement shall not be offered or received in evidence in any action or proceeding in any court or other forum as an admission or concession of liability or wrongdoing of any nature.”
π‘ This clause prevents the fact of this settlement from being used against Nissan in any future legal action, permanently protecting the company from the reputational and legal consequences of its negligence.
QUOTE 7
What “Private Information” actually means in this case
Public Health and Safety
“‘Private Information’ means some combination of Settlement Class Members’ names, Social Security numbers, dates of birth, and employee identifications, and other personally identifiable information stored within Defendant’s information technology systems at the time of the Data Incident.”
π‘ Social Security numbers combined with dates of birth and employee IDs give criminals everything they need to open fraudulent accounts, file false tax returns, and steal identities for years.
QUOTE 8
Nissan frames post-breach security fixes as routine, not remedial
The Bottom Line
“Defendant represents that it regularly and continually takes steps to improve its security and resiliency generally, and as a part of that process, Defendant implemented several measures since November 2023 following notice of the Data Incident.”
π‘ By framing the post-breach security upgrades as part of an ongoing improvement process, Nissan avoids acknowledging that these measures were not in place when workers’ data was stolen.
Commentary
What exactly did the hackers take from Nissan’s systems?
According to the settlement documents, cybercriminals gained unauthorized access to Nissan North America’s network on November 7, 2023 and accessed employees’ Social Security numbers, dates of birth, names, pay information, employee identification numbers, medical records for certain individuals, and other personally identifiable information. This is not a partial breach: it is the full suite of data that identity thieves need to devastate someone’s financial life.
Is $1.5 million a fair settlement for a breach of this scale?
No. A $1.5 million cap for a breach of employees’ Social Security numbers and medical records at a multinational corporation worth billions is not meaningful accountability. It is a cost of doing business. For context, attorneys’ fees alone can consume up to $500,000 of that fund. The workers whose identities were put at risk receive at most $100 each under the flat-payment option, subject to pro rata reduction. The harm these workers face, including years of potential identity theft and financial fraud, is not fairly compensated by a check that may not cover a single hour of a fraud investigator’s time.
Why does Nissan get to deny all wrongdoing if it’s paying millions to settle?
This is standard practice in corporate class action settlements, and it is one of the most troubling features of the American civil litigation system. Companies pay settlements not because courts find them guilty, but because settling is cheaper and safer than going to trial. By including a no-admission-of-liability clause, Nissan avoids creating a legal record of wrongdoing that could be used against it in future cases, by regulators, or in employment litigation. Workers get a check; Nissan gets permanent immunity without ever having to answer for what happened to their data.
What are the long-term consequences for affected workers?
The consequences are serious and potentially lifelong. A Social Security number cannot be changed after a breach. Criminals who obtained this data can use it to file fraudulent tax returns, open credit accounts, take out loans, apply for government benefits, and commit medical fraud, all in the affected worker’s name. The two years of credit monitoring Nissan offered is a start, but it does not prevent fraud; it only alerts workers after the fact. Affected employees will need to monitor their financial and medical records for years, possibly decades.
How is it possible that medical records were stored on the same network as financial data?
This is a critical question about Nissan’s data governance, and the settlement documents do not provide a direct answer. The fact that medical records, Social Security numbers, and pay information were all accessible from the same network suggests that Nissan did not implement meaningful data segmentation or access controls. The most sensitive categories of data should be isolated from general network access. Nissan’s post-breach security improvements, including hardened firewalls and enhanced monitoring, suggest these controls were not adequately in place before the breach.
What should workers know about claiming their settlement benefits?
Affected workers who received notice of the breach should submit a claim form before the deadline to preserve any right to compensation. Workers with documented out-of-pocket expenses related to the breach, such as credit monitoring services they purchased, credit report fees, or costs related to identity recovery, should claim under Cash Payment A for Documented Losses, which allows up to $450 for ordinary losses and up to $4,500 for extraordinary losses. Workers without documentation can claim up to $100 under Cash Payment B, though this amount is subject to pro rata reduction. All claimants can also elect two years of credit monitoring. Workers who do nothing lose all legal rights against Nissan without receiving any compensation.
What can I do to prevent this from happening again?
Collective action and political pressure are the most effective tools available. Contact your congressional representatives and demand stronger federal data security legislation with mandatory minimum penalties that are proportional to a corporation’s revenue, not a fixed dollar cap that amounts to nothing for a major automaker. Support state-level data privacy laws that create private rights of action with meaningful per-person damages. If you are a worker, raise data security and privacy protections as a bargaining issue with your union or employee organization. Share this story with colleagues and demand transparency from your employer about how your data is stored and protected. Nissan and companies like it will continue to underfund data security until the legal and financial consequences of negligence exceed the cost of doing it right.
Does this settlement mean the security problems at Nissan are fixed?
Nissan implemented several post-breach security measures, including hardened firewall rules, expanded endpoint detection, increased penetration testing, and enhanced security training. These are meaningful steps, but they are steps Nissan should have taken before workers’ data was stolen. The settlement does not include independent verification that these measures are adequate or ongoing. There is no third-party audit requirement, no regulatory oversight of implementation, and no penalty if Nissan’s security improvements prove insufficient. Workers are left to trust that the same company that failed to protect their data is now doing enough to protect it going forward.
π‘ Explore Corporate Misconduct by Category
Corporations harm people every day β from wage theft to pollution. Learn more by exploring key areas of injustice.
- π Product Safety Violations β When companies risk lives for profit.
- πΏ Environmental Violations β Pollution, ecological collapse, and unchecked greed.
- πΌ Labor Exploitation β Wage theft, worker abuse, and unsafe conditions.
- π‘οΈ Data Breaches & Privacy Abuses β Misuse and mishandling of personal information.
- π΅ Financial Fraud & Corruption β Lies, scams, and executive impunity.
