The FCA US December 2025 data breach represents one of the most significant breaches of automotive customer data in recent history. On December 25, 2025, the Everest ransomware group infiltrated FCA US LLC’s systems and exfiltrated approximately 1 terabyte of sensitive customer information. When the company refused to pay the ransom demand, the group publicly released the stolen data on January 4, 2026, exposing the personal and financial information of millions of current and former Chrysler, Jeep, Dodge, and Ram vehicle owners. A class action lawsuit, Spadafore v.
FCA US LLC (Case 2:26-cv-10214), was filed in Michigan federal court on January 21, 2026, to hold the company accountable for inadequate cybersecurity practices that allowed the breach to occur. The breach exposed full names, home addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, and internal Salesforce records spanning from 2021 through 2025. To put this in perspective, this is far more comprehensive than typical data breaches—attackers didn’t just grab a customer database, they accessed years of internal company records, which often contain even more sensitive information than customer-facing systems. The litigation is currently in its early stages as of April 2026, with no settlement reached and no claim filing process yet established.
Table of Contents
- HOW THE EVEREST RANSOMWARE GROUP BREACHED FCA US SYSTEMS
- WHAT PERSONAL DATA WAS COMPROMISED IN THE BREACH
- THE LEGAL CASE AGAINST FCA US—SPADAFORE V. FCA US LLC
- FCA US’S ALLEGED CYBERSECURITY FAILURES
- YOUR RISK IF YOUR DATA WAS EXPOSED IN THE BREACH
- CURRENT STATUS AND WHAT TO EXPECT IN THE COMING MONTHS
- WHAT THIS BREACH MEANS FOR CONSUMER DATA PROTECTION AND AUTOMOTIVE SECURITY
- Frequently Asked Questions
HOW THE EVEREST RANSOMWARE GROUP BREACHED FCA US SYSTEMS
The Everest ransomware group, known for targeting large corporations, successfully penetrated FCA US LLC’s network security on Christmas Day 2025. The exact attack vector has not been fully disclosed in public documents, but the breach exposed a troubling reality: one of the world’s largest automotive manufacturers did not have adequate safeguards against modern cyber threats. The fact that attackers could access Salesforce records and internal databases spanning four years suggests the company’s network segmentation and access controls were insufficient to contain or detect the intrusion quickly.
FCA US’s response to the ransom demand sealed the fate of millions of customers. Rather than pay a ransom that might have kept the data private, the company refused, which led the Everest group to publicly release the entire dataset on January 4, 2026. While refusing ransomware demands is generally considered the correct policy decision—it discourages future attacks and doesn’t fund criminal activity—the consequence was that sensitive personal data of customers was permanently exposed to anyone with internet access. This creates a permanent risk for affected individuals, unlike scenarios where stolen data is recovered or remains private.
WHAT PERSONAL DATA WAS COMPROMISED IN THE BREACH
The stolen data includes the full names, home addresses, phone numbers, and dates of birth for millions of individuals. More critically, the breach exposed Social security numbers and driver’s license numbers—information that is essential for identity theft and fraud. These are not just isolated data points; they are the complete personal identifiers needed to open fraudulent credit accounts, apply for loans, commit tax fraud, or sell someone’s information to other criminals. The breach spanning 2021 through 2025 means that even customers who haven’t purchased a Chrysler, Jeep, Dodge, or Ram vehicle recently may be at risk if they had any interaction with the company during that five-year window.
A significant limitation of the publicly available information is that FCA US has not provided a clear breakdown of exactly how many individuals were affected or detailed confirmation of all data categories exposed. The 1 terabyte figure gives a sense of scale, but the actual number of exposed individuals remains unclear as of April 2026. This ambiguity makes it difficult for consumers to assess their personal risk. For comparison, the Equifax breach in 2017 affected 147 million people and led to a settlement exceeding $700 million. This FCA breach, given the comprehensiveness of the data stolen, could potentially affect comparable numbers of people.
THE LEGAL CASE AGAINST FCA US—SPADAFORE V. FCA US LLC
The class action lawsuit, Spadafore v. FCA US LLC (Case 2:26-cv-10214), was filed in the United States District Court for the Eastern District of Michigan on January 21, 2026, just seventeen days after the data was publicly released. The rapid filing reflects the urgency of the situation and the plaintiff’s attorneys’ assessment that FCA US’s failures warrant immediate legal action. As with most class action cases in early stages, the lawsuit names individual plaintiffs (in this case, Spadafore) who experienced damages from the breach, and seeks to represent all customers whose data was compromised.
The case is being handled by firms with experience in data breach litigation, including Wolf Popper LLP, which has litigated numerous consumer protection cases. At this early stage of litigation, no settlement has been reached, and FCA US has not yet made formal settlement offers. The case is still in the discovery phase, where both sides will exchange documents and evidence to support their positions. This means the litigation could take months or even years to resolve, and affected individuals should not expect immediate compensation.
FCA US’S ALLEGED CYBERSECURITY FAILURES
The lawsuit alleges that FCA US failed to implement fundamental cybersecurity best practices that would have prevented or limited the breach. Specifically, the company is alleged to have failed to implement encryption on sensitive customer data, meaning that once attackers accessed the systems, they could read the information without additional barriers. Encryption is considered one of the most basic and essential cybersecurity controls—without it, stolen data is immediately usable by criminals. The lack of multi-factor authentication (MFA) is another critical failure alleged in the lawsuit. MFA requires users to verify their identity through multiple methods before gaining access to systems, making it far harder for attackers with stolen credentials to access networks.
Additionally, FCA US is accused of having improper data deletion policies, meaning the company may have retained customer information longer than necessary or failed to securely destroy old data. This extended the window of vulnerability—the more data a company keeps, the more there is to lose if a breach occurs. A comparison to better practices: leading technology and financial services companies have moved to assume-breach mentalities, implementing zero-trust architectures, encryption everywhere, and strict data minimization practices. FCA US appears to have operated with older cybersecurity assumptions that treated breaches as unlikely events rather than inevitable risks. The tradeoff is that implementing these modern controls requires investment in infrastructure, training, and ongoing maintenance, which FCA US apparently underestimated or deprioritized.
YOUR RISK IF YOUR DATA WAS EXPOSED IN THE BREACH
If your name, address, phone number, Social Security number, or driver’s license number was in the FCA US database during the 2021-2025 window, your data is now publicly available to criminals. This creates specific, quantifiable risks. Identity thieves can use your Social Security number and date of birth to apply for credit in your name. They can use your driver’s license number to establish fake accounts, obtain loans, or fraudulently file tax returns. Your home address makes you a target for mail theft and physical fraud.
Your phone number can be used to help social engineering attacks, where criminals call financial institutions pretending to be you. A critical limitation to understand: even if you didn’t buy a Chrysler product directly, you might still be affected if you were a passenger when someone bought a vehicle, inquired about financing, worked with a dealer, or had contact with FCA US in any capacity. The full scope of exposure is not yet clear because FCA US has not released a detailed accounting of affected individuals. You should assume that your risk is substantial if you had any interaction with Chrysler, Jeep, Dodge, Ram, or Fiat brands during the 2021-2025 period. The warning: do not wait for notification from FCA US to take action. Begin monitoring your credit reports, place fraud alerts with credit bureaus, and consider freezing your credit to prevent unauthorized applications.
CURRENT STATUS AND WHAT TO EXPECT IN THE COMING MONTHS
As of April 2026, the Spadafore v. FCA US LLC lawsuit remains in early stages. No claim form or settlement process is yet available for affected individuals. The case is likely in the pleading phase, where attorneys for both sides are filing motions and the defendant is responding to allegations. This is normal for complex data breach litigation and does not indicate that the case is proceeding slowly—these phases are procedurally necessary and can take many months.
The timeline for resolution remains uncertain. Some data breach settlements take six to twelve months to resolve if both sides reach agreement quickly, while others take multiple years if the case goes to trial. FCA US has not yet responded publicly with detailed information about remediation efforts, which the company would typically offer during settlement negotiations. When a settlement is eventually reached, affected individuals will be notified through a claims process, typically administered by a claims administrator. At that point, individuals will need to provide proof of their data exposure and may be eligible for compensation, credit monitoring services, or both, depending on the terms negotiated.
WHAT THIS BREACH MEANS FOR CONSUMER DATA PROTECTION AND AUTOMOTIVE SECURITY
The FCA US breach highlights a critical vulnerability in automotive supply chains and data handling practices. Vehicle manufacturers collect extensive customer data—not just names and addresses, but information from warranty claims, service records, financing applications, and onboard vehicle systems. This data is often stored in accessible databases like Salesforce, which, while useful for business operations, creates security risks if not properly protected.
The breach demonstrates that even large, well-established companies have been slow to implement security practices that have been industry standard in banking and technology for years. Looking forward, this lawsuit may set important precedent for how automotive companies must secure customer data. If the courts find FCA US negligent in its security practices, it could trigger broader industry changes and encourage other manufacturers to upgrade their defenses. Conversely, the case also raises questions about liability and responsibility: to what extent should manufacturers be held accountable for ransomware attacks that target sophisticated criminals, and at what point do security investments become unreasonable? The answers to these questions, as determined through this litigation and others like it, will shape data protection standards for the automotive industry for years to come.
Frequently Asked Questions
How do I know if my data was exposed in the FCA US breach?
If you purchased a vehicle from Chrysler, Jeep, Dodge, Ram, or Fiat between 2021 and 2025, or had any contact with FCA US during that period, your data is likely at risk. FCA US has not released a detailed list of affected individuals yet. If you’re unsure, assume your data was exposed and take protective measures such as credit monitoring and fraud alerts.
When will a claim filing process be available?
No claim filing process is currently available as of April 2026. The lawsuit is still in early stages, and a settlement has not been reached. Once settlement negotiations conclude and a settlement is approved, a claims administrator will be appointed and claim forms will be distributed, typically through the US mail or a dedicated website.
What compensation might be available if the lawsuit succeeds?
The amount and type of compensation is not yet determined. Based on similar data breach settlements, affected individuals typically receive monetary compensation per person (ranging from $100 to $1,000 or more), free credit monitoring services for a specified period, or both. The final amount will depend on negotiations between FCA US and the plaintiff’s attorneys.
Should I freeze my credit to protect myself?
Yes, a credit freeze is a strong protective measure. It prevents new accounts from being opened in your name without your explicit authorization. You can place a free freeze with all three major credit bureaus (Equifax, Experian, and TransUnion). The freeze remains in effect until you remove it, though you may need to temporarily lift it if you apply for credit yourself.
Can I join the lawsuit if I wasn’t named as a plaintiff?
You do not need to do anything to be part of the class action. Once the class is certified by the court, all affected individuals are automatically included unless they explicitly opt out. You will be notified of the settlement terms and claim procedures when they become available, and you can then file a claim for compensation.
What should I do if I discover fraudulent accounts or identity theft?
Contact the Federal Trade Commission at IdentityTheft.gov, file a report with local law enforcement, and notify the financial institutions where fraudulent accounts were opened. Keep detailed records of all fraud-related expenses and communications, as these may be compensable through insurance, the credit card issuer, or the settlement if you successfully dispute the fraudulent transactions.
You Might Also Like
- DoorDash Data Breach Cybersecurity Failure Class Action Lawsuit
- Covenant Health Data Breach Class Action Lawsuit
- Coinbase Employee Data Breach Customer Information Class Action Lawsuit