Corporate Misconduct Accountability Project
Best Collateral, Inc. · Data Breach Notification
Best Collateral Data Breach Exposed SSNs and Biometric Data
Pawn shop collateral company Best Collateral waited seven weeks to notify customers after unauthorized access to files containing Social Security numbers, health insurance information, driver’s licenses, biometric data, and military identification numbers.
CRITICAL SEVERITY
TL;DR
Best Collateral discovered suspicious activity on its network on January 17, 2025, but did not confirm that personal information had been stolen until February 10, 2025. The company waited until March 2025 to notify affected individuals. The breach exposed names combined with Social Security numbers, health insurance policy information, driver’s license numbers, biometric information, and military identification numbers. The company offers only 12 months of free credit monitoring despite the permanent nature of biometric data theft.
If you received a notification letter, enroll in the monitoring services immediately and consider placing a security freeze on your credit reports.
7 weeks
Delay between detection and confirmed data theft
12 months
Duration of free credit monitoring offered
90 days
Enrollment deadline for monitoring services
$1M
Identity fraud loss reimbursement policy limit
The Allegations: A Breakdown
Core Allegations
What they did · 6 points
| 01 | Best Collateral discovered suspicious activity within its network on or around January 17, 2025, but did not determine that personal information had been acquired until February 10, 2025, creating a three-week gap in understanding the scope of the breach. | high |
| 02 | The company waited until March 2025 to send notification letters to affected individuals, a full seven weeks after detecting the initial suspicious activity and several weeks after confirming data theft. | high |
| 03 | Best Collateral exposed highly sensitive data including Social Security numbers, health insurance policy information, driver’s license numbers, biometric information, and military identification numbers. | critical |
| 04 | The company admits it stored biometric information and military identification numbers for customers, raising questions about why a pawn shop collateral company needed to collect and retain such sensitive data. | high |
| 05 | Best Collateral states it has no evidence of misuse or attempted misuse of the stolen information, but offers no explanation for how it would detect such misuse or what monitoring systems it has in place. | medium |
| 06 | The company offers only 12 months of complimentary credit monitoring despite biometric data being irreversible and permanent once compromised, leaving victims exposed after the monitoring period ends. | high |
Regulatory Failures
Gaps in oversight and enforcement · 4 points
| 01 | Best Collateral notified the Federal Bureau of Investigation but the notification letter provides no evidence of any regulatory penalties, fines, or mandated security improvements. | medium |
| 02 | The seven-week delay between detection and public disclosure appears to fall within legal windows in many states, demonstrating how fragmented state laws allow companies to control the timing of breach notifications. | high |
| 03 | No regulatory authority required Best Collateral to explain why it needed to collect and store biometric information and military identification numbers for pawn shop transactions. | medium |
| 04 | The notification letter contains no indication that any regulator mandated the 12-month monitoring period or required longer-term protections for victims whose biometric data was stolen. | medium |
Profit Over People
Cost-cutting and inadequate security · 5 points
| 01 | Best Collateral offers only 12 months of free credit monitoring, after which victims must pay for continued protection or manage the risk themselves, converting a security failure into a potential upsell opportunity. | high |
| 02 | The company provides no explanation of what security measures failed, what improvements have been implemented, or how much it has invested in preventing future breaches. | high |
| 03 | Best Collateral caps identity fraud loss reimbursement at $1 million across all victims, potentially leaving individuals undercompensated if widespread fraud occurs. | medium |
| 04 | The notification letter emphasizes that enrollment requires an internet connection and email account and may not be available to minors, placing barriers between victims and the limited protections offered. | medium |
| 05 | Victims have only 90 days from the letter date to enroll in monitoring services, creating an artificial urgency that may cause some affected individuals to miss the deadline entirely. | medium |
Exploiting Delay
Strategic use of time to minimize accountability · 4 points
| 01 | Best Collateral took nearly a month from detecting suspicious activity on January 17 to confirming data theft on February 10, leaving potential victims unaware and unable to protect themselves during the critical early window. | high |
| 02 | The company delayed public notification until March 2025, giving identity thieves seven weeks to exploit stolen data before victims could take protective measures like fraud alerts or security freezes. | critical |
| 03 | The notification letter is dated March XX, 2025 with placeholder text, suggesting Best Collateral prepared template communications rather than prioritizing rapid individual notifications. | medium |
| 04 | By the time victims receive notification and can act, stolen Social Security numbers and biometric data may already be circulating on dark web marketplaces or sold to identity theft rings. | high |
Public Health and Safety
Irreversible harm from biometric data theft · 4 points
| 01 | Best Collateral exposed biometric information, which unlike passwords or credit card numbers cannot be changed or reissued, creating permanent identity theft risks for affected individuals. | critical |
| 02 | The breach of military identification numbers puts service members and their families at heightened risk of targeted fraud, espionage, or other security threats. | critical |
| 03 | Victims whose health insurance policy information was stolen face potential medical identity theft, which can corrupt health records and lead to dangerous medical errors. | high |
| 04 | The combination of names with Social Security numbers, driver’s licenses, and biometric data creates a complete identity theft package that criminals can use to open accounts, file fraudulent tax returns, or commit crimes in victims’ names. | critical |
Community Impact
Harm to vulnerable populations · 4 points
| 01 | Best Collateral operates in the pawn and collateral lending industry, which primarily serves economically stressed individuals who may lack access to traditional banking and credit. | high |
| 02 | The requirement for internet access and email to enroll in monitoring services disadvantages victims in communities with limited broadband access or digital literacy. | medium |
| 03 | Victims must invest unpaid time navigating enrollment processes, monitoring credit reports, and potentially disputing fraudulent accounts, imposing hidden costs on people who can least afford them. | medium |
| 04 | The breach undermines trust in financial service providers serving vulnerable communities, making individuals less likely to seek legitimate collateral loans and potentially pushing them toward more predatory lending options. | medium |
Worker Exploitation
Front-line employees bear the burden · 3 points
| 01 | Front-line Best Collateral employees must handle angry and anxious customer calls about the breach without any indication in the notification letter of additional training, support, or hazard pay. | medium |
| 02 | Customer service representatives working the dedicated helpline at 1-800-405-6108 absorb emotional labor explaining corporate security failures they did not cause and cannot fix. | medium |
| 03 | The notification letter provides no information about whether Best Collateral employees’ own personal information was compromised in the breach or what protections they receive. | medium |
Corporate Accountability Failures
No consequences, no transparency · 5 points
| 01 | Best Collateral President Robert E. Verhoeff signs the notification letter but accepts no personal responsibility and faces no apparent consequences for the security failures that occurred under his leadership. | medium |
| 02 | The company provides no information about whether any executives, IT managers, or security personnel have been held accountable for the breach. | medium |
| 03 | Best Collateral offers apologies for worry and inconvenience but commits to no specific, measurable security improvements or third-party audits to prevent future breaches. | high |
| 04 | The notification letter contains no information about potential penalties, fines, or regulatory sanctions that Best Collateral may face as a result of the breach. | medium |
| 05 | Victims receive no compensation for the time, stress, and ongoing risk they face, only limited monitoring services that expire after 12 months. | high |
The PR Machine
Corporate spin and damage control · 5 points
| 01 | Best Collateral opens the notification letter by claiming it takes privacy and security very seriously, contradicting the security failures that allowed unauthorized access to highly sensitive data. | medium |
| 02 | The company emphasizes cooperation with the FBI and promises to hold perpetrators accountable, shifting focus to external bad actors rather than internal security deficiencies. | medium |
| 03 | Best Collateral highlights the $1 million identity fraud loss reimbursement policy as if it represents generous protection, when the cap may prove inadequate if many victims suffer fraud. | medium |
| 04 | The notification letter repeats that the company has no evidence of misuse, a statement designed to minimize alarm but providing no real assurance since identity thieves often delay using stolen data. | medium |
| 05 | The letter closes with sincere apologies from President Verhoeff, employing sympathy rhetoric while offering only time-limited monitoring that expires long before the permanent risks from biometric data theft. | medium |
The Bottom Line
Systemic failure, predictable harm · 5 points
| 01 | Best Collateral collected highly sensitive data including biometric information and military ID numbers that a pawn shop collateral company had no clear need to retain, creating unnecessary risk for customers. | high |
| 02 | The company’s seven-week delay in notifying victims demonstrates how corporations can remain technically compliant with fragmented state laws while leaving people defenseless during the critical early period after a breach. | high |
| 03 | Offering only 12 months of monitoring for the theft of permanent biometric data represents a calculated business decision to minimize costs rather than adequately protect victims. | high |
| 04 | The breach follows a predictable pattern: inadequate security, delayed disclosure, minimal accountability, and time-limited remediation that shifts long-term risk back onto victims. | high |
| 05 | Without stronger federal breach notification laws, mandatory long-term monitoring for biometric data theft, and personal liability for executives, similar incidents will continue to harm everyday people while corporations face minimal consequences. | high |
Timeline of Events
January 17, 2025
Best Collateral discovers suspicious activity within its network
January 17, 2025
Company engages independent cybersecurity experts to investigate
February 10, 2025
Best Collateral determines that files containing personal information may have been acquired without authorization
February 10, 2025
Company notifies Federal Bureau of Investigation about the breach
March 2025
Best Collateral sends notification letters to affected individuals
90 days after March 2025
Deadline for victims to enroll in complimentary monitoring services
12 months after enrollment
Free credit monitoring and identity protection services expire
Direct Quotes from the Legal Record
QUOTE 1
Company admits delayed discovery of data theft
allegations
“On or around January 17, 2025, we discovered suspicious activity within our network and immediately initiated an investigation of the matter. We engaged independent cybersecurity experts to assist with the process. As a result of the investigation, on or about February 10, we determined that certain files that contained personal information may have been acquired from our network without authorization.”
💡 Best Collateral took nearly a month to confirm data theft, leaving victims unaware and vulnerable during the critical early period.
QUOTE 2
No evidence disclaimer masks real risk
pr_machine
“Please note that we have no evidence of the misuse, or attempted misuse, of any potentially impacted information.”
💡 This statement provides false reassurance since identity thieves often sit on stolen data for months before using it.
QUOTE 3
Scope of highly sensitive data exposed
allegations
“It may have included your name, health insurance policy information, and/or Social Security numbers. If you have been a customer, the information may have included your name, driver’s license number, biometric information, and/or military identification number.”
💡 The breach exposed irreversible biometric data and military IDs, creating permanent identity theft risks.
QUOTE 4
Limited monitoring period despite permanent risk
profit
“Best Collateral is also offering you complimentary identity protection services through TransUnion, a leader in consumer identity protection. These services include 12 months of credit monitoring, dark web monitoring, a $1 million identity fraud loss reimbursement policy, and fully managed identity theft recovery services.”
💡 Twelve months of monitoring is inadequate for biometric data that cannot be changed and creates lifetime risk.
QUOTE 5
Artificial enrollment deadline creates urgency
profit
“The deadline to enroll in these services is 90 days from the date on this letter.”
💡 The 90-day window may cause victims who delay to lose access to even the limited protections offered.
QUOTE 6
Barriers to accessing monitoring services
community
“The enrollment requires an internet connection and e-mail account and may not be available to minors under the age of 18 years of age.”
💡 These requirements exclude victims without reliable internet access or email, disproportionately harming vulnerable populations.
QUOTE 7
President accepts no accountability
accountability
“We take your trust in us and this matter very seriously. Please accept our sincere apologies for any worry or inconvenience this may cause. Sincerely, Robert E. Verhoeff, President, Best Collateral, Inc.”
💡 The president offers apologies but no acknowledgment of responsibility, consequences, or specific corrective actions.
QUOTE 8
FBI notification emphasized over security failures
pr_machine
“We also notified the Federal Bureau of Investigation and will cooperate with any resulting investigation and will provide whatever cooperation may be necessary to hold the perpetrators accountable.”
💡 Best Collateral shifts focus to external criminals rather than explaining what internal security measures failed.
QUOTE 9
Privacy commitment contradicted by breach
pr_machine
“Best Collateral takes the privacy and security of all information within its possession very seriously.”
💡 This boilerplate claim rings hollow when the company failed to prevent unauthorized access to highly sensitive data.
QUOTE 10
Identity verification required to access protections
profit
“Please note that when signing up for monitoring services, you may be asked to verify personal information for your own protection to confirm your identity.”
💡 Victims must provide additional personal information to access monitoring, creating further privacy risks and administrative burden.
QUOTE 11
Vague security improvements claimed
accountability
“As soon as we discovered this incident, we took the steps described above and implemented measures to enhance security and minimize the risk of a similar incident occurring in the future.”
💡 Best Collateral provides no specifics about what security measures failed or what concrete improvements have been made.
QUOTE 12
Document version number suggests template approach
pr_machine
“12478885v2”
💡 The version number at the top of each page indicates this is a templated legal document, not a personalized accountability communication.
Frequently Asked Questions
What personal information did Best Collateral expose in this breach?
Best Collateral exposed names combined with Social Security numbers, health insurance policy information, driver’s license numbers, biometric information such as fingerprints or facial recognition data, and military identification numbers. The specific types of data varied depending on whether you were a general contact or an active customer.
When did Best Collateral discover the breach and when did they tell customers?
Best Collateral discovered suspicious activity on January 17, 2025, confirmed that data had been stolen on February 10, 2025, but did not send notification letters to customers until March 2025. This created a seven-week gap between detection and notification.
Why is biometric data theft so serious?
Unlike passwords, credit card numbers, or even Social Security numbers, biometric data such as fingerprints or facial recognition templates cannot be changed or reissued. Once stolen, this information creates permanent identity theft and fraud risks that will follow victims for their entire lives.
How long does the free credit monitoring last?
Best Collateral offers only 12 months of complimentary credit monitoring through TransUnion. After the free period expires, victims must pay for continued monitoring or manage identity theft risks on their own, despite facing lifetime exposure from stolen biometric data.
What should I do if I received a notification letter?
Enroll in the free monitoring services immediately using the unique code in your letter before the 90-day deadline expires. Place fraud alerts or security freezes on your credit reports with all three major credit bureaus. Monitor your financial accounts, credit reports, health insurance statements, and tax records closely for signs of fraud. Consider filing a report with local law enforcement and the Federal Trade Commission.
Can I sue Best Collateral for this breach?
You may have legal grounds to join or file a lawsuit, especially given the exposure of highly sensitive data including Social Security numbers, biometric information, and military IDs. Consult with an attorney who specializes in data breach cases to discuss your options, including potential class action litigation.
What if I do not have internet access or email to enroll in monitoring?
The notification letter states that enrollment requires an internet connection and email account. If you lack these resources, call the helpline at 1-800-405-6108 to ask about alternative enrollment methods. This requirement unfairly excludes victims without reliable digital access.
Why did a pawn shop need my biometric data and military ID?
The notification letter provides no explanation for why Best Collateral collected and stored such sensitive information. This raises serious questions about data minimization practices and whether the company was retaining information it did not need, creating unnecessary risks for customers.
What happens after the 12 months of free monitoring ends?
Once the complimentary monitoring period expires, you will need to pay for continued services or cancel. Best Collateral provides no long-term protection despite the permanent nature of the stolen data, particularly biometric information that cannot be changed.
Has anyone been held accountable at Best Collateral for this breach?
The notification letter contains no information about accountability measures, executive consequences, or personnel changes. President Robert E. Verhoeff signed the letter offering apologies but accepting no responsibility and facing no apparent consequences for the security failures that occurred under his leadership.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
