A new federal class action lawsuit filed in Michigan accuses automaker FCA US LLC, doing business as Stellantis North America, of failing to safeguard customer data, resulting in a December 2025 breach that exposed sensitive personal information belonging to tens of thousands of Chrysler and Jeep customers.
The lawsuit, brought by Loria and Thomas Spadafore, alleges that ransomware operators from the Everest group infiltrated Stellantis systems around December 25, exfiltrating roughly 1 terabyte of personally identifiable information (PII). The stolen data includes full names, addresses, phone numbers, dates of birth, and Social Security numbers. After Stellantis reportedly refused to pay a ransom, Everest published the data online on January 4, 2026.
The plaintiffs claim that Stellantis failed to implement even basic cybersecurity best practices, such as encryption, multi-factor authentication, and secure data retention policies. The suit contends this negligence enabled Everest to penetrate internal databases, directly affecting buyers like the Spadafores, who had submitted sensitive personal information when purchasing a 2023 Jeep Gladiator.
Stellantis, the world’s fourth-largest automaker by volume, oversees several major brands including Jeep, Dodge, Ram, Peugeot, and Maserati. Its North American division, FCA US LLC, is headquartered in Auburn Hills, Michigan, and manages a vast array of digital systems tied to vehicle ownership, customer service, and connected vehicle platforms. The exposed data stems from these business systems and affects customers across the United States, not just Illinois, where the plaintiffs reside.
According to the complaint, Stellantis’ security shortcomings violated both federal consumer protection laws and Illinois state law. The plaintiffs argue the company’s failure to comply with established standards, such as those outlined in the NIST Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls, puts customers at increased risk of identity theft and fraud.
The lawsuit seeks class certification and alleges multiple causes of action, including negligence, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. It demands damages, court costs, and injunctive relief mandating stronger cybersecurity measures.
This latest case comes just months after Stellantis confirmed another data breach incident in September 2025, where third-party systems used for customer support in North America were compromised. At the time, the ShinyHunters group claimed responsibility and alleged a deeper intrusion into Salesforce environments, though Stellantis stated that only basic contact information was affected. Furthermore, the automaker was named again in October by the Scattered LAPSUS$ Hunters group, who claimed widespread theft of sensitive data from companies using Salesforce products, including Stellantis and Maserati.
The lawsuit draws on these prior incidents to argue that Stellantis was already on notice about the risks of cyberattacks targeting its infrastructure. Yet, plaintiffs allege, the company failed to take adequate preventive steps.
Stellantis has not issued public statements about the lawsuit and has not responded to our request for comment as of publication.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
