What Was Actually Stolen From You

Loria and Thomas Spadafore wanted a truck. They saved for it, they chose it, they drove to a dealership and signed paperwork. As part of that ordinary transaction, they were legally required to hand over their Social Security numbers. There was no checkbox that said “optional.” There was no way to buy the vehicle without surrendering the most sensitive piece of identifying information the U.S. government assigns to a human being. So they gave it. Because that’s what you do. Because you trust that a company the size of Stellantis, with billions in revenue and a legal obligation to protect customer data, is not going to leave your Social Security number sitting in an unsecured database like an unlocked filing cabinet in an abandoned building.

They were wrong. And now there is no fix.

A Social Security number is not a password. You cannot reset it. You cannot get a new one by clicking “Forgot SSN.” The process to obtain a replacement SSN requires you to first prove that your existing number is actively being used to harm you. That means the harm has to happen first. You have to be defrauded, have credit opened in your name, have a criminal use your identity during an arrest, have a fraudulent tax return filed in your name, before the government will consider issuing you a new number. And even then, the old number doesn’t disappear from databases that already have it.

What the Spadafores and every other class member now carry with them is a specific and permanent vulnerability. They did not choose this vulnerability. They did not consent to it. They walked into a dealership to buy a Jeep and came out permanently exposed. The anxiety that comes with that is not theoretical. It is the monthly ritual of checking credit reports for accounts you didn’t open. It is the creeping dread when a letter arrives from a bank you’ve never heard of. It is explaining to a landlord that the eviction on your record isn’t yours, that someone used your name, that you need to file paperwork to prove you are who you say you are. It is showing up to a job interview where a background check has flagged criminal charges you never committed because someone handed your Social Security number to police when they were arrested.

The Identity Theft Resource Center found in 2021 that most victims of identity crimes need more than a month to resolve the damage. Some need over a year. That’s a year of their life, their evenings, their weekends, their emotional energy, spent cleaning up a mess a corporation made. FCA got to collect that Social Security number, use it for its own business analytics, marketing, and financing operations, profit from having it, and then lose it to criminals. The Spadafores bear the cost. Not FCA. Not Stellantis. The people who just wanted a truck.

Researchers have established that when consumers are informed about how companies protect their data, some are willing to pay a premium to buy from companies with better privacy practices. FCA never told customers their data wasn’t protected. It told them the opposite. The complaint documents that FCA made explicit statements to customers that their personal information would remain private. Those were not true statements. The customers paid for security they never received.

What the Complaint Actually Says: Verbatim

The following are direct, unedited excerpts from the federal class action complaint filed January 21, 2026, in Case No. 2:26-cv-10214. Each quote is followed by a plain-language breakdown of what it proves.

“On or around December 25, 2025, the ransomware group Everest breached Defendant’s systems due to Defendant’s failure to secure its databases, gaining access to 1 terabyte of Plaintiffs’ and Class Members’ sensitive Personal Information.”

— Complaint ¶14

“On information and belief, Defendant refused to pay the ransom demanded by Everest and Everest published Personal Information belonging to Plaintiffs and Class Members on January 4, 2026.”

— Complaint ¶16

“Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were maintaining for Plaintiffs and Class Members, causing the exposure of PII, such as encrypting the information or deleting it when it is no longer needed.”

— Complaint ¶17

“In September, unauthorized third parties infiltrated the databases of FCA’s parent company Stellantis, gaining access to customer information. Despite such knowledge, Defendant failed to implement and maintain reasonable and appropriate data privacy and security measures to protect Plaintiffs’ and Class Members’ PII from cyber-attacks that Defendant should have anticipated and guarded against.”

— Complaint ¶¶20–21

“Defendant failed to follow, enforce, or maintain the aforementioned best practices. Defendant also failed to meet the minimum standards of any of the following frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC).”

— Complaint ¶37

The Damage Beyond Your Credit Score

Public Health

When Social Security numbers are combined with other PII and sold on the dark web, the harm extends beyond finances into healthcare access, mental health, and physical safety.

• Identity thieves can use stolen SSNs and dates of birth to receive medical treatment in a victim’s name, creating false medical records that can corrupt a victim’s actual health history and insurance records, potentially leading to dangerous misdiagnoses or denied coverage based on conditions they don’t have.
• Victims face documented psychological harm from identity theft. The sustained anxiety of monitoring accounts, disputing fraudulent charges, and anticipating the next misuse of their data creates chronic stress that has measurable physical health consequences over time.
• The Identity Theft Resource Center found that victims of identity crimes spend more than a month resolving issues, with some taking over a year. That represents sustained disruption to daily life, sleep, work performance, and relationships.
• Victims may receive emergency services or prescription drugs billed to their insurance under a thief’s fraudulent claim, creating coverage gaps and claim histories that follow the victim for years after the original breach.

Economic Inequality

The people least equipped to defend themselves from identity theft are the ones who pay the heaviest price when a corporation like FCA fails to protect their data.

• Credit freezes, identity monitoring services, fraud alerts, and legal assistance all cost money or significant time. Customers who already stretched their budgets to buy a vehicle are now expected to pay again, in both dollars and hours, to clean up a mess they didn’t make.
• The complaint acknowledges that class members “paid for data security protection they did not receive.” FCA collected the revenue from vehicle sales, benefited from using customer PII for marketing and analytics, and then failed to deliver the security those customers were implicitly promised.
• The dark web value of a Social Security number combined with a date of birth, name, and address is substantially higher than standalone financial data. Criminal researchers and the complaint itself confirm this data can be aggregated and sold repeatedly for years. The victims bear this exposure permanently; FCA bears no ongoing personal risk.
• Low-income vehicle buyers are less likely to have a credit freeze already in place, less likely to have legal resources to dispute fraudulent accounts, and more likely to rely on the credit score that identity thieves will now destroy. The complaint notes that some class members have already suffered actual fraud, confirming the harm is active, not theoretical.
• The unjust enrichment count in the lawsuit captures the core economic unfairness: FCA collected the full price of vehicles, profited from the associated PII, and provided customers with security that did not exist. The company keeps the profit. The customers keep the risk.

What Your Social Security Number Is Worth to Them

The Watchlist and Your Next Move

The lawsuit is filed. The data is public. Here is who to contact, what to watch, and what you can do that actually matters.

Who Filed This Case

• Lead Plaintiffs: Loria Spadafore and Thomas Spadafore, DuPage County, Illinois. Named plaintiffs in the proposed nationwide class and Illinois subclass.
• Counsel of record: E. Powell Miller and Gregory A. Mitchell, The Miller Law Firm, P.C., Rochester, Michigan. Bradley K. King, Ahdoot and Wolfson, PC, New York.
• Defendant: FCA US LLC d/b/a Stellantis North America, 1000 Chrysler Drive, Auburn Hills, Michigan 48326.

Regulatory Watchlist

• Federal Trade Commission (FTC): The complaint cites Section 5 of the FTC Act as a legal basis for FCA’s duty of care. The FTC has authority to investigate and fine companies for unfair data security practices. File a complaint at ftc.gov/complaint.
• Illinois Attorney General: The complaint alleges violations of the Illinois Consumer Fraud and Deceptive Business Practices Act and the Illinois Personal Information Protection Act. The AG’s office can pursue enforcement independently of the federal lawsuit.
• Department of Justice (DOJ): Ransomware groups including Everest are subject to federal criminal investigation. The DOJ Cyber Division handles cases involving ransomware gangs that publish stolen data on criminal networks.
• National Institute of Standards and Technology (NIST): The complaint cites NIST Cybersecurity Framework Version 1.1 as the baseline FCA failed to meet. NIST frameworks are voluntary but increasingly referenced in litigation as the legal standard of care for data security.
• Consumer Financial Protection Bureau (CFPB): If your identity is stolen and used to open credit accounts, the CFPB handles consumer financial fraud complaints and can assist with disputing unauthorized accounts.

What You Can Do Right Now

• Freeze your credit immediately at all three major bureaus: Equifax, Experian, and TransUnion. A credit freeze is free and prevents anyone from opening new accounts in your name. The complaint’s own cited researcher says this single step is the difference between being “easy pickings” and being protected.
• File a fraud alert. Even without a confirmed breach notice from FCA, you can request an extended fraud alert if you believe your information has been compromised. This requires creditors to verify your identity before approving new accounts.
• Check the class action docket. Case No. 2:26-cv-10214-TGB-DRG, Eastern District of Michigan. Court filings are public and available on PACER. ClassAction.org is tracking this case as part of its searchable database.
• Connect with mutual aid groups in your area that assist identity theft victims. These networks help people navigate the bureaucratic process of disputing fraudulent accounts, filing police reports, and accessing free legal aid; particularly important for class members who cannot afford private attorneys.
• Organize. If you bought a Chrysler, Dodge, Jeep, or Ram vehicle and provided your Social Security number, contact plaintiff counsel at The Miller Law Firm or Ahdoot and Wolfson to understand your options as a potential class member. You do not need to file your own lawsuit to participate in a class action settlement or verdict.
• Pressure your legislators. Federal data protection legislation that mandates encryption of Social Security numbers, deletion of PII after business necessity ends, and mandatory breach notification timelines does not yet exist at a comprehensive federal level. Call your congressional representatives and demand it.