Corporate Data Security Accountability Project | Beasley v. Lockton Companies | 2024
Lockton Companies ยท Data Breach ยท Class Action Settlement
Lockton Exposed One Million People’s Most Sensitive Data and Paid No Admission of Wrongdoing
Social Security numbers, medical records, and health data belonging to roughly one million workers, dependents, and beneficiaries were stolen in November 2024 after Lockton Companies failed to protect the information it was trusted to hold.
๐ด HIGH SEVERITY
TL;DR
On November 20, 2024, an unauthorized individual broke into Lockton Companies’ computer systems and stole private information belonging to roughly one million people: names, Social Security numbers, dates of birth, health information, and medical records. These were workers and their families who trusted Lockton with their most sensitive data because Lockton managed their employee benefits. Lockton sat on this knowledge for months, only notifying victims in March 2025, more than three months after the breach occurred. A $9.9 million settlement was reached in 2025, but Lockton admitted no wrongdoing, denied all liability, and the agreement bars every victim from ever suing again.
A million people’s health and financial identities were exposed. Demand real data security standards, not corporate liability shields disguised as justice.
~1M
People whose private data was stolen
$9.9M
Total settlement value
$5.9M
Common settlement fund
$3M
Available for documented losses
$5,000
Maximum documented loss claim per person
$2.97M
Attorney fees requested
10
Class action lawsuits consolidated
3+ Mo.
Delay before victim notifications sent
Core Allegations
Core Allegations
What Lockton did ยท 5 points
โพ
| 01 | An unauthorized individual accessed Lockton’s computer systems on November 20, 2024 and stole files containing the private information of approximately one million people, including names, Social Security numbers, dates of birth, health information, and medical records. | high |
| 02 | Lockton did not notify affected individuals until March 2025, more than three months after discovering the breach, leaving victims unaware and unprotected while fraudsters potentially exploited their stolen data. | high |
| 03 | The stolen data included not just Lockton’s own current and former employees, but also the employees of Lockton’s clients, including major corporations like Dollar Tree, Family Dollar, Sterling Pharma Solutions, and House of Raeford Farms, along with their dependents and beneficiaries. | high |
| 04 | Ten separate class action lawsuits were filed against Lockton and its clients across the Western District of Missouri, reflecting the breadth of harm caused to workers across multiple industries and employers. | med |
| 05 | Plaintiffs documented actual fraud and identity theft losses resulting from the breach, yet Lockton denied all claims and maintained throughout the litigation that it did nothing wrong, settling purely to avoid litigation costs. | high |
Profit Over People
Revenue priorities vs. data security ยท 4 points
โพ
| 01 | Lockton Companies, one of the world’s largest privately held insurance brokers and risk management firms, collected and stored sensitive private information from over a million individuals as a core part of its employee benefits business, yet invested inadequate resources in securing that data. | high |
| 02 | The company built a business model that required holding health data, Social Security numbers, and medical records for workers at dozens of corporate clients, creating a centralized target for attackers while profiting from that data aggregation with no apparent accountability. | high |
| 03 | Despite the settlement costing $9.9 million, Lockton paid just $1 million of attorney fees above the common fund, meaning a substantial portion of victim compensation came out of the same $5.9 million pool that was supposed to serve one million affected people. | med |
| 04 | Attorney fees alone amount to nearly $2.97 million, or approximately 30 percent of the total settlement value, meaning roughly one-third of the money Lockton agreed to pay goes to lawyers rather than the million people whose data was stolen. | med |
Corporate Accountability Failures
Weak penalties, no admission, permanent liability shield ยท 5 points
โพ
| 01 | Lockton settled without any admission of liability or wrongdoing, meaning the company paid $9.9 million entirely to make the litigation go away while publicly maintaining it did nothing wrong and bears no fault for exposing one million people’s most sensitive data. | high |
| 02 | Every affected person who does not affirmatively opt out forever releases all claims against Lockton and its clients, including Dollar Tree, Family Dollar, and other major corporations, even if they never receive any compensation from the settlement fund. | high |
| 03 | If more than two percent of the settlement class opts out, Lockton retains the right to void the entire settlement, giving the company a structural escape valve that protects it if class members widely reject the terms. | med |
| 04 | No individual executive at Lockton faces any personal accountability, penalty, or required corrective action under this settlement. The company absorbs the cost as a business expense while leadership faces zero consequences. | high |
| 05 | The settlement agreement explicitly states that no part of the settlement can ever be used as evidence of Lockton’s wrongdoing in any future proceeding, permanently insulating the company from accountability in any context beyond this litigation. | high |
Economic Fallout
Financial harm to workers and families ยท 4 points
โพ
| 01 | Affected workers faced real documented losses including unreimbursed identity theft and fraud costs, professional fees for credit repair, costs to freeze and unfreeze credit accounts, and credit monitoring expenses they were forced to purchase to protect themselves after the breach. | high |
| 02 | With $5.9 million split among one million claimants after fees, administration costs, and monitoring costs are deducted, victims who do not submit documented losses stand to receive pennies to a few dollars each, representing a fraction of the harm they actually suffered. | high |
| 03 | The $3 million cap on documented loss claims means that if enough victims submit evidence of real financial harm, their individual payouts will be reduced proportionally regardless of actual damages, effectively rationing justice based on how many people were harmed. | med |
| 04 | The stolen data includes health and medical information that can be used to commit medical identity theft, a form of fraud that can result in incorrect medical records, denied insurance claims, and lasting damage to victims’ healthcare access long after the breach. | high |
Community Impact
Workers and families targeted across industries ยท 3 points
โพ
| 01 | The breach affected workers at Dollar Tree and Family Dollar, retail chains that primarily employ lower-wage workers who are among the least able to absorb the financial and time costs of identity theft recovery, credit freezes, and fraud remediation. | high |
| 02 | Dependents and beneficiaries of employees, including children enrolled in their parents’ health plans, had their personal information including health and medical data exposed, meaning minors were among the victims of Lockton’s security failure. | high |
| 03 | The settlement class spans all living persons in the United States who were notified of the breach, crossing state lines and affecting workers in every region of the country who entrusted their private information to their employers and, indirectly, to Lockton. | med |
Timeline of Events
November 20, 2024
Unauthorized individual accesses Lockton’s computer systems and steals private information belonging to approximately one million people.
March 2025
Lockton sends notification letters to affected individuals, more than three months after the breach was discovered.
Spring 2025
Ten class action lawsuits are filed in the Western District of Missouri against Lockton and its clients. Plaintiffs consolidate their cases and appoint lead counsel from Milberg PLLC, Kopelowitz Ostrow P.A., and McShane & Brady, LLC.
September 3, 2025
Parties participate in a formal mediation in Los Angeles, California with experienced data breach mediator Bruce Friedman of JAMS. No agreement is reached at mediation.
October 2025
Parties reach agreement on all material settlement terms after weeks of continued post-mediation negotiations.
November 3, 2025
Federal cases are dismissed and the consolidated class action is refiled in Jackson County Circuit Court, Missouri.
December 12, 2025
Settlement Agreement is electronically filed in Jackson County, Missouri. The $9.9 million settlement seeks court approval to resolve all claims from roughly one million affected individuals.
Direct Quotes from the Legal Record
QUOTE 1
Scale of the breach confirmed in the settlement
Core Allegations
“an unauthorized individual accessed certain computer files containing the Private Information of approximately one million individuals”
๐ก This is Lockton’s own acknowledgment of the scale. One million people. The company chose to hold that data and failed to protect it.
QUOTE 2
Definition of stolen data: Social Security numbers and health records
Core Allegations
“Private Information means Settlement Class Members’ information that may have been impacted in the Data Incident, which includes names, Social Security numbers, dates of birth, health information, and medical information.”
๐ก This is among the most sensitive combination of data possible. With this set of information, a fraudster can open credit accounts, file false tax returns, commit medical identity theft, and impersonate a victim for years.
QUOTE 3
No admission of wrongdoing despite paying $9.9 million
Corporate Accountability Failures
“Defendants do not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and disclaim and deny any fault or liability”
๐ก This is the core of the corporate accountability crisis in American data breach law. Companies can expose millions of people, pay millions to settle, and still publicly claim they did nothing wrong.
QUOTE 4
Victims release ALL future claims even without compensation
Corporate Accountability Failures
“If a Settlement Class Member does not submit a Valid Claim, the Settlement Class Member will release his or her claims against Defendants without receiving a Cash Payment.”
๐ก Read that again. If you do nothing, you still lose your right to sue Lockton forever, and you get nothing. Inaction equals a permanent, uncompensated surrender of legal rights.
QUOTE 5
Settlement bars victims from suing Lockton’s corporate clients too
Corporate Accountability Failures
“Released Parties means Southeast Series of Lockton Companies, LLC, Lockton Companies, LLC, Dollar Tree Inc., Family Dollar Stores LLC, Sterling Pharma Solutions, House of Raeford Farms, Inc., and all of Defendants’ impacted clients”
๐ก This settlement protects not just Lockton but every corporate client whose employees were harmed. Dollar Tree and Family Dollar workers permanently lose their right to sue anyone connected to this breach.
QUOTE 6
Corporate clients’ employees and their families all caught in the breach
Community Impact
“Those impacted were a limited number of Defendants’ current and former employees and certain employees (current and former) of Defendants’ clients, including their dependents and beneficiaries.”
๐ก The word “limited” is doing a lot of work here when the actual number is approximately one million people. And “dependents and beneficiaries” means children enrolled in their parents’ health plans had their data stolen too.
QUOTE 7
Settlement cannot be used as evidence of wrongdoing in any future proceeding
Corporate Accountability Failures
“Nothing contained in this Agreement shall be used or construed as an admission of liability, and this Agreement shall not be offered or received in evidence in any action or proceeding”
๐ก This clause ensures that this settlement provides zero accountability precedent. Regulators, insurers, and future plaintiffs in unrelated cases cannot point to it as evidence that Lockton was negligent.
Commentary
What exactly did Lockton do wrong?
โพ
Lockton collected and stored extraordinarily sensitive personal information from roughly one million workers, their family members, and their dependents as part of its employee benefits management business. It then failed to secure that information against an unauthorized intrusion. When a hacker accessed their files on November 20, 2024, years of personal data, including Social Security numbers, medical records, and health information, were stolen. This is not an accident; it is the predictable result of holding massive amounts of sensitive data without investing adequately in its protection.
Why did Lockton wait three months to notify victims?
โพ
The settlement document confirms that Lockton discovered the breach on November 20, 2024 and did not send notification letters until March 2025. That is more than three months during which affected individuals had no idea their Social Security numbers and health records were in the hands of criminals. Three months is three months during which fraudsters could open credit accounts, file fraudulent tax returns, and commit medical identity theft while victims remained completely unaware and unprotected. The law requires timely notification for exactly this reason: delay causes real harm to real people.
Is $9.9 million a fair settlement for one million people?
โพ
No, not really. After attorney fees of nearly $3 million, settlement administration costs, and the cost of one year of credit monitoring for all class members, the remaining pool of money divided among one million people is likely to produce pro rata payments of a few dollars per person, possibly less. The $3 million documented loss fund is more meaningful if you experienced actual fraud, but requires paperwork and documentation. The settlement resolves litigation risk efficiently for Lockton while providing minimal meaningful compensation to the vast majority of victims. For a company of Lockton’s size and profitability, $9.9 million is a manageable business expense, not a deterrent.
Why do companies get to settle without admitting wrongdoing?
โพ
This is a structural feature of American civil litigation. Courts allow settlements without admissions because forcing admissions would make companies less likely to settle, potentially leaving victims with nothing after years of costly litigation. In practice, this means corporations can expose millions of people, pay millions of dollars, and face zero reputational or legal accountability. The settlement is structured as a risk management exercise, not as justice. Until Congress and state legislatures mandate stronger data security requirements with penalties tied to corporate revenue, companies have little incentive to invest more in security than they spend on settlements.
Why are Dollar Tree and Family Dollar workers specifically at risk here?
โพ
Dollar Tree and Family Dollar are named as clients of Lockton whose employees’ data was caught in the breach, and they are also listed as “Released Parties” in the settlement. This means their workers permanently lose the right to sue either Lockton or Dollar Tree/Family Dollar in connection with this breach. These are retail workers, many earning low wages, who face the same identity theft risks as higher-earning workers but typically have fewer resources to hire credit repair professionals, navigate fraud disputes, or absorb the time and financial costs of recovery. The breach hit a workforce that was already economically vulnerable.
What can I do to prevent this from happening again?
โพ
First, if you received a notice and have not yet filed a claim, file one now at the settlement website before the deadline. Second, place a free credit freeze at all three major bureaus (Equifax, Experian, TransUnion), which is the single most effective protection against new account fraud. Third, contact your congressional representatives and demand support for federal data breach legislation that sets minimum security standards tied to company size, mandates rapid notification (within 72 hours, not three months), and imposes penalties calculated as a percentage of revenue rather than capped flat amounts. Fourth, support organizations like the Electronic Frontier Foundation and the National Consumer Law Center that advocate for stronger data privacy protections.
What is the broader pattern this case represents?
โพ
Lockton is not unique. This is a pattern in American corporate data handling: large firms collect vast amounts of sensitive personal data from workers who have no meaningful choice about whether to provide it, invest insufficiently in securing it, and when breaches occur, respond with delayed notification, litigation, and settlements that impose minimal accountability. The companies most likely to hold the most sensitive data, including insurance brokers, benefits administrators, payroll processors, and HR platforms, are among the least regulated. This structural gap between data collection power and data protection obligation is not an accident; it is the result of decades of successful corporate lobbying against strong data security legislation.
๐ก Explore Corporate Misconduct by Category
Corporations harm people every day โ from wage theft to pollution. Learn more by exploring key areas of injustice.
- ๐ Product Safety Violations โ When companies risk lives for profit.
- ๐ฟ Environmental Violations โ Pollution, ecological collapse, and unchecked greed.
- ๐ผ Labor Exploitation โ Wage theft, worker abuse, and unsafe conditions.
- ๐ก๏ธ Data Breaches & Privacy Abuses โ Misuse and mishandling of personal information.
- ๐ต Financial Fraud & Corruption โ Lies, scams, and executive impunity.
