November 7, 2023: The Day Nissan’s Walls Came Down

Nissan North America stored its employees’ most intimate financial and health data on its computer network. On or about November 7, 2023, unauthorized actors got inside. The settlement documents describe it plainly: cybercriminals gained access to a combination of names, Social Security numbers, dates of birth, pay information, and medical records.

• The data compromised includes Social Security numbers — the single most valuable piece of identifying information a person has, used to open credit accounts, file tax returns, and take out loans in someone’s name.
• Pay information and medical records were also taken. These are not abstract data points. They reveal income levels, health conditions, treatments, and vulnerabilities that can be used for targeted fraud, extortion, or employment discrimination.
• The breach was experienced by employees — people who had no choice about whether to hand over this data. Employment requires providing your Social Security number, your date of birth, and your health coverage information. Nissan asked for it. Nissan stored it. Nissan failed to protect it.
• The lawsuit was filed on June 18, 2025, meaning roughly eighteen months passed between the breach and the formal legal action. The settlement agreement does not disclose when victims were first notified of the compromise or when Nissan first discovered the intrusion.
• The settlement class is defined as all persons who received notice that their Private Information may have been compromised. The exact number of affected individuals is not disclosed in the settlement document.

“Cybercriminals gained unauthorized access to Nissan’s computer network on or about November 7, 2023 — taking names, Social Security Numbers, dates of birth, pay information and medical records.”

$1.5 Million Cap: Where Every Dollar Goes Before It Reaches You

The entire settlement is a closed pool of $1,500,000. Nothing more can ever be added. Inside that single pool sit attorney fees, admin costs, payments to the named plaintiffs, and whatever is left for the thousands of victims. Here is exactly how the math works against ordinary people.

• The $1,500,000 aggregate cap is absolute. The settlement document states: “No additional amounts shall be due or owed by Defendant to fund the Settlement.” Once Nissan writes one check, its financial obligation to the victims of this breach ends forever.
• Attorneys are permitted to request up to $500,000 from inside that same pool. If the court awards the full amount, one-third of the total fund disappears before a single victim claim is processed. The attorneys’ fees include “all fees (including catalyst fees), expenses, and costs for Class Counsel or any other counsel in connection with the claims relating to the Data Incident, whether past, present, or future.”
• Kroll Settlement Administration LLC, the third-party settlement administrator, is also paid from the same $1.5 million cap. Settlement administration costs are not capped separately within the document; they compete directly with victim payments.
• Each of the four named plaintiffs — Thomas Taylor, Bobby Carter, Ryan Levey, and Zackary Roberts — is eligible for a service award of up to $3,000 each, totaling up to $12,000. These payments also come from the same $1.5 million pool.
• Cash Payment B, the flat payment that most victims will qualify for, is explicitly described as subject to pro rata reduction. If claim volume is high, the $100 maximum will be cut proportionally. The final per-person payout could be far less than $100.
• Cash Payment A for extraordinary documented losses, capped at $4,500, requires third-party documentation such as a police report or submitted insurance claim — bureaucratic proof that many identity theft victims will find difficult or impossible to obtain.

“No additional amounts shall be due or owed by Defendant to fund the Settlement” — the exact moment Nissan’s obligation to its employees ends, permanently and forever, regardless of what the stolen data enables criminals to do next year or five years from now.

What a Number Cannot Buy Back

Picture the moment you get a letter in the mail telling you your Social Security number was stolen. Read that sentence again slowly. Your Social Security number. The nine digits that follow you from your first job to your last breath. The number that is attached to your credit history, your tax returns, your Medicare and Medicaid eligibility, your student loans, your apartment application, your car financing, your children’s school enrollment records. The number that, once it is in a criminal’s hands, is functionally impossible to fully scrub from the dark web marketplaces where it was almost certainly sold.

The people in this settlement are Nissan employees. They did not choose to hand their data to some optional third-party app. They were required to disclose this information as a condition of being employed. Nissan needed their Social Security numbers for payroll taxes. Nissan needed their dates of birth for benefits enrollment. Nissan needed their medical records because Nissan provides their health insurance. These are not data points people share voluntarily with corporations to get a discount. They are data points people share because they have no alternative if they want to pay their rent.

The settlement offers up to $100 if you cannot prove documented losses. Think about what that means in practice. Identity theft often surfaces months or years after the initial breach, when a fraudulent credit card account opens in your name, when the IRS sends a letter saying someone already filed a tax return using your information, when a debt collector calls about a loan you never took out. The settlement’s release language is explicit: you surrender claims for harms you do not even know about yet. A crime committed today using this stolen data — a crime that may not surface until 2027 or 2028 — cannot be sued over. The $100 check you cash in 2026 ends your legal options forever.

The medical records component deserves particular attention. The settlement documents list “medical records for certain individuals” as part of the compromised information. Medical data is uniquely personal. It is the kind of information people protect ferociously from employers, insurance companies, and family members. In the hands of identity thieves, it can be used for medical fraud — billing insurance for procedures the victim never received, using the victim’s insurance to obtain controlled substances, or establishing fraudulent healthcare accounts. Unlike a credit card number, a medical history cannot be reset. The damage from medical identity theft is notoriously difficult and expensive to untangle.

There is also the texture of ordinary daily anxiety that a breach like this creates and that no settlement spreadsheet ever captures. The hypervigilance every time a credit card is declined. The 20 minutes lost every few weeks checking credit reports. The lingering dread every time an unfamiliar number calls. The moment your teenager mentions they were denied a student loan because someone opened an account in their name using your stolen information. These are not melodramatic hypotheticals. They are the documented lived experience of identity theft victims, a category that Nissan’s employees have now been inducted into through no action of their own.

Nissan signed the settlement agreement in December 2025. The company’s signature does not come with an apology. It comes with language that explicitly states the agreement “shall not be construed as or deemed to be evidence of an admission or concession of any point of fact or law.” The people who trusted Nissan with the most sensitive information of their lives will receive, at most, a few hundred dollars and two years of single-bureau credit monitoring. The company whose failure created this situation will pay a one-time capped sum and walk away with its liability permanently extinguished.

Their Words. Their Document. Read It Yourself.

Every quote below is taken verbatim from the settlement agreement filed in Case No. 25-0975-BC, Chancery Court for the State of Tennessee, Twentieth Judicial District, Davidson County. Nothing is paraphrased. Nothing is invented.

“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Action, and expressly disclaims and denies any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Action.”

• This clause means Nissan pays $1.5 million while simultaneously claiming it did nothing wrong. The settlement is structured as a pure business calculation — cheaper to settle than to litigate — rather than as any form of accountability.
• The phrase “could have been asserted” is significant. It extends the denial not just to claims that were made in the lawsuit but to any theory of liability anyone might ever raise. Nissan is pre-emptively denying wrongdoing that has not even been alleged yet.

“All Claims determined to be Valid Claims shall be paid in full by Defendant up to a cap of $1,500,000.00, inclusive of all Settlement Class relief (including Credit Monitoring, attorneys’ fees and costs for all Plaintiffs’ Counsel, Service Award payments, and Settlement Administration Costs). If the total of Valid Claims, cost of Credit Monitoring, attorneys’ fees and costs, Service Award payments, and Settlement Administration Costs exceeds the cap, the class relief shall be reduced pro rata.”

• This passage confirms that victim payments are the variable in the formula. Every other cost category — lawyers, administrators, service awards — has a defined ceiling or contractual commitment. The victims’ share shrinks to absorb overages.
• The pro-rata reduction clause means the more victims who come forward to claim their $100, the less each victim actually receives. Participation in the settlement punishes the class as a whole by driving down the per-person payment.

“The Releasing Parties shall be deemed to have, and by operation of the Final Approval Order shall have, fully, finally, and forever released, acquitted, relinquished, and completely discharged the Released Parties from any and all Released Claims… Each Party expressly waives all rights under California Civil Code section 1542.”

• California Civil Code section 1542 is a consumer protection that says you cannot be forced to release claims you do not yet know about. Nissan’s settlement explicitly waives that protection — and the equivalent laws in Montana, North Dakota, and South Dakota.
• “Fully, finally, and forever” is the operative phrase. Identity theft consequences from this 2023 breach that do not surface until 2028 or 2030 are released today. Victims lose legal recourse for harms that literally have not happened yet.

“Defendant has entered into this Agreement to resolve all controversies and disputes arising out of or relating to the Data Incident and allegations made in the Action as it relates to Defendant, and to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation.”

• The document states plainly that Nissan’s motivation for settling is avoiding cost and disruption to business operations — not compensating harmed employees, not improving data security, not making victims whole.
• “Disruption to its business operations” is listed as a primary reason to settle. Nissan’s business continuity was a more prominent stated concern than the financial harm inflicted on the employees whose data was stolen.

“This Action alleges that Nissan failed to properly secure and safeguard employees’ Private Information including names, Social Security Numbers, dates of birth, pay information and medical records for certain individuals.”

• This language, from the Long Form Notice exhibit, confirms the specific categories of data that the plaintiffs allege were not properly secured. The use of “medical records for certain individuals” suggests not all class members had medical data exposed — but the settlement does not differentiate compensation based on the sensitivity of what was stolen from each person.
• The phrase “failed to properly secure and safeguard” is the core legal allegation. Nissan denies it. But Nissan also agreed to pay $1.5 million rather than prove the allegation wrong in court.

“Defendant represents that it regularly and continually takes steps to improve its security and resiliency generally, and as a part of that process, Defendant implemented several measures since November 2023 following notice of the Data Incident, including but not limited to: (i) hardened firewall policy rules and VPN login; (ii) expanded endpoint detection response protection; (iii) increased penetration infrastructure testing; (iv) extended security operations center support; (v) enhanced insider threat / compromise user monitoring and detection capabilities; (vi) enhanced enforcement of data loss prevention policies; (vii) conducted red / blue team exercises and enhanced technical knowledge of security teams; and (viii) enhanced security awareness training for protecting confidential data.”

• The operative word is “represents.” Nissan is representing — not proving, not being audited on, not being held to by court order — that it made these changes. There is no independent verification mechanism, no third-party audit requirement, and no penalty for failing to maintain these improvements.
• The list of improvements is essentially a description of basic security hygiene that should have been in place before November 2023. “Security awareness training” and “data loss prevention policies” are Entry Level 101 data protection measures, not advanced safeguards. The fact that these had to be enhanced after a breach is an implicit acknowledgment of how inadequate pre-breach protections were — which is precisely what Nissan is simultaneously denying.

“No additional amounts shall be due or owed by Defendant to fund the Settlement.” Nissan’s total financial exposure for compromising the life data of its employees is bounded by a single line of contract text.

This Breach Does Not End When the Settlement Check Clears

Public Health

Medical record theft creates a specific category of health harm that compounds over time and is uniquely difficult to correct.

• The settlement confirms that medical records were among the data compromised for “certain individuals.” Medical identity theft can corrupt a victim’s official health record — inserting false diagnoses, medications, or procedures — which can lead to dangerous misdiagnoses and incorrect treatments by providers who rely on those records in future emergencies.
• Stolen health insurance credentials are used to fraudulently bill for medical procedures, which can exhaust a victim’s annual benefits or lifetime caps before the victim realizes the fraud occurred. For employees with serious health conditions, this can mean coverage denials at critical moments.
• The psychological harm of a data breach involving medical records is documented and significant. Sustained anxiety, hypervigilance, and loss of trust in institutions are consistent findings in breach victim studies. The two years of credit monitoring offered by this settlement provides no mental health support or counseling resources.
• Social Security numbers in criminal hands can be used to file fraudulent Medicare and Medicaid claims, which can affect a victim’s eligibility and benefits access — particularly devastating for lower-income employees or those approaching retirement age.

Economic Inequality

Data breaches do not harm all employees equally. They concentrate the worst outcomes on workers with the least capacity to absorb and fight them.

• The $4,500 extraordinary loss reimbursement requires a police report or submitted insurance claim as documentation. Working-class employees without the time, resources, or institutional confidence to navigate police reporting systems or insurance claims processes are effectively filtered out of the highest compensation tier.
• The $100 flat payment tier is subject to pro-rata reduction. An employee who submits a claim on time and in good faith may receive substantially less than $100, an amount that does not begin to cover the documented average cost of resolving an identity theft case, which according to the Identity Theft Resource Center runs into many hours of recovery work and can involve hundreds of dollars in filing fees, notarization, and legal costs.
• The settlement’s release of unknown future claims hits hardest for people who cannot afford to retain a lawyer and renegotiate. By cashing the settlement check, a victim legally surrenders all future legal options. People who do not read the fine print — and the fine print in this settlement runs forty pages — will not understand they have done so.
• The offer of one-bureau credit monitoring through Experian means only Experian’s data is monitored. Fraudulent activity reported to TransUnion or Equifax — the other two major bureaus — will not trigger an alert under this benefit. For victims whose Social Security numbers are being actively misused, single-bureau monitoring is meaningfully less protective than three-bureau monitoring.
• For employees who have already enrolled in Nissan’s original two-year monitoring offer, the settlement merely extends what they already have. The extension begins only after the original term expires, meaning there is no immediate uplift in protection for the most at-risk period following a breach.
• Nissan’s employees did not choose to bear this risk. They accepted it as an involuntary condition of employment. The settlement’s per-victim compensation reflects none of the power asymmetry that created the situation: one corporation’s security failure, borne financially by the individual workers whose data was taken.

Nissan Calculated What Your Social Security Number Is Worth to Them

For context: Nissan North America reported revenues of approximately $17.7 billion in fiscal year 2024. The $1.5 million settlement cap represents roughly 0.0085% of that revenue figure. Put another way, Nissan generated the equivalent of the entire settlement fund in approximately 45 minutes of business operations. The employees whose lifetime financial identities were exposed received a response scaled not to the harm, but to the cost of avoiding litigation.

If You Were Affected, Here Is What You Can Actually Do

The settlement is pending court approval. Until the Final Approval Order is entered, class members retain the right to opt out. After approval, the window closes permanently. Act before it does.

Named Defendant and Counsel

• Nissan North America, Inc. — Defendant. Represented by Brigid M. Carpenter and Zachary Busey of Baker, Donelson, Bearman, Caldwell & Berkowitz, PC, Nashville and Memphis, Tennessee.
• Chancellor Anne Martin — Davidson County Chancery Court, Part II, Tennessee Business Court. Case No. 25-0975-BC. This is where the Final Approval Hearing will be held.

Regulatory Watchlist: Who Has Jurisdiction Over This

• Federal Trade Commission (FTC): Primary federal authority over corporate data security practices. The FTC has pursued enforcement actions against companies for inadequate data security under Section 5 of the FTC Act. File a complaint at ftc.gov/complaint.
• Consumer Financial Protection Bureau (CFPB): Has authority over financial data practices and identity theft remediation. If you experience financial harm from this breach, file at consumerfinance.gov/complaint.
• Social Security Administration (SSA): If your SSN is misused for employment fraud or benefit fraud, report it at oig.ssa.gov. Request a Social Security Statement to check for unauthorized earnings records.
• Internal Revenue Service (IRS): If your SSN is used to file a fraudulent tax return, you will need an IRS Identity Protection PIN. Apply at irs.gov/identity-theft-central. File IRS Form 14039 if fraud has already occurred.
• State Attorney General — Tennessee: The Tennessee Attorney General has consumer protection authority. Contact at tn.gov/attorneygeneral/consumer-protection.html. Tennessee residents have state-level privacy protections that may supplement federal options.
• Department of Labor (DOL): If pay records were compromised and wage theft or tax fraud results, contact the DOL’s Wage and Hour Division at dol.gov.

Protect Yourself Right Now: Practical Steps

• Freeze your credit at all three bureaus immediately — not just Experian. Go directly to equifax.com/personal/credit-report-services, experian.com/freeze, and transunion.com/credit-freeze. A credit freeze is free, it is the most effective protection against new-account fraud, and it does not affect your existing accounts or credit score.
• Request your free credit reports now at annualcreditreport.com. Review all three bureaus for accounts you do not recognize. You are entitled to free weekly reports through December 2026 under current FTC rules.
• Place a fraud alert with any one of the three bureaus — that bureau is required to notify the other two. This tells creditors to take extra verification steps before opening accounts in your name.
• Review your medical records with your health insurance provider. Request an Explanation of Benefits for all claims filed under your policy for the past 24 months. Look for procedures you did not receive or providers you did not visit.
• Decide whether to opt out before the opt-out deadline. If you have documented identity theft losses that may exceed $100 and you believe you have provable damages, consult an attorney before accepting the settlement. Opting out preserves your right to pursue claims independently. The opt-out deadline will be published in the settlement’s Notice materials — watch for the postcard in the mail.
• Connect with affected coworkers. Organize collectively with other Nissan employees who received breach notices. Collective worker pressure on employers around data security obligations is more powerful than individual claims, and labor organizing around data rights is a growing front in worker advocacy.
• Contact the Identity Theft Resource Center at idtheftcenter.org or by phone at 888-400-5530. They provide free, one-on-one case management support for identity theft victims at no cost — a resource the settlement does not provide.
• Support legislation requiring stronger corporate data security standards. Contact your state and federal legislators and demand breach notification law reform that includes minimum security standards, mandatory independent audits after breaches, and victim compensation calculated on actual harm rather than corporate convenience.