Subscribe To Our Newsletter
Subscribe To Our Newsletter
Columbia Pacific Advisors, LLC experienced a cybersecurity incident on November 28, 2025, potentially exposing sensitive personal information, including Social Security numbers, financial data, health insurance, and medical information. The company secured its network, completed a forensic review, notified affected individuals, and implemented enhanced safeguards. Individuals are advised to monitor accounts, consider credit protection measures, and explore legal options regarding potential misuse of their personal data .
The $500,000 settlement officially wraps up a class action lawsuit known as Gonzalez v. CR&R Incorporated. The litigation was launched after the company discovered a targeted network disruption where unauthorized third parties breached its digital defense systems. Instead of enduring a prolonged, unpredictable courtroom battle, both parties agreed to this compromise to provide guaranteed relief to the thousands of consumers left vulnerable by the cyberattack.
Everyday people often have no choice but to provide deep financial and personal information to essential service providers like utility and waste management corporations. When those entities fail to maintain modern digital barriers, consumers are forced to deal with the stressful, time-consuming fallout of identity exposure. This settlement is a vital tool to hold companies accountable and offer meaningful recovery options to affected consumers.
The core of the class action lawsuit centered around a serious security failure that occurred on or around December 13, 2022. According to court filings, cybercriminals successfully infiltrated the internal server networks of CR&R Environmental Services. The lawsuit alleged that the waste disposal chain’s lack of robust network monitoring allowed hackers to access and copy sensitive consumer profiles entirely undetected.
The files exposed during the data breach contained highly confidential data points. Compromised records included full names, Social Security numbers, bank and financial account details, and health insurance information. This extensive combination of financial, medical, and personal identity data represents a goldmine for digital thieves, dramatically increasing the long-term risk of targeted identity theft and financial fraud for everyone affected.
The $500,000 settlement fund provides clear pathways for affected class members to receive direct compensation, depending on the level of disruption they experienced. The first pathway focuses on consumers who incurred tangible, out-of-pocket financial losses while trying to repair or protect their identities in the wake of the December 2022 cyberattack.
Under this expense-reimbursement category, you may be eligible to collect up to $5,000 for documented financial harm. This covers expenses accumulated between December 13, 2022, and August 24, 2026, that can be reasonably traced back to the breach. Covered losses include unauthorized credit charges, bank fees, the cost of personal credit monitoring services, fees for credit freezes, and expenses for replacing government identification cards.
The attorneys representing the affected consumers recognize that many people spend considerable time and effort monitoring their accounts after a breach, even if they never lose actual money to a scammer. If you fall into this category, don’t stand alone. The settlement offers a second pathway designed for everyday people who do not have complex financial paperwork to submit.
Instead of trying to calculate and prove exact out-of-pocket losses, class members can file a claim for a flat, alternative cash payment. The settlement administrator currently estimates that this pro rata payout will be around $150. However, the exact amount will ultimately be determined on a sliding scale based entirely on the total number of approved cash claims submitted by the public before the deadline.
In addition to the cash benefits, the settlement acknowledges that a Social Security number leak requires ongoing, long-term vigilance. To address this risk, CR&R has agreed to fund comprehensive identity tracking tools for all affected individuals. Every eligible class member has the option to enroll in two years of free, three-bureau credit monitoring services.
This identity protection service allows you to actively track your credit profile across the major credit reporting agencies, providing real-time alerts if a bad actor attempts to open a fraudulent account or auto loan in your name. You can select this free credit monitoring benefit on your claim form either in addition to your documented-loss claim or alongside the alternative cash payout.
If you decide to file a claim for the high-value $5,000 fraud reimbursement tier, you must provide clear, supporting paperwork to the settlement administrator. Simple assertions or unsupported claims of identity theft will not qualify for a maximum payout. The vetting process is strict to ensure the $500,000 fund is distributed fairly to legitimate victims.
To secure approval for out-of-pocket expenses, you must upload or mail clear proof alongside your claim form. Acceptable documentation includes bank or credit card statements highlighting unrecovered fraudulent transactions, invoices or receipts for credit repair services, or official letters from your financial institution regarding account fraud. If your documents are rejected, your claim will automatically be redirected to the standard $150 cash tier.
The litigation against CR&R highlights the expanding legal landscape surrounding data privacy and corporate negligence. The plaintiffs argued that as a major business handling critical infrastructure across Southern California and neighboring states, CR&R had a binding legal duty to employ modern, multi-layered data security practices to defend its servers from predictable cybersecurity threats.
While CR&R denies all allegations of wrongdoing and maintains that its security infrastructure was reasonable, the company chose to settle the case to avoid further legal fees and structural distractions. For everyday consumers, these settlements serve as a critical reminder that corporations must face real financial accountability when they fail to safeguard the highly confidential information entrusted to them.
Determining whether you can participate in this settlement is straightforward. The settlement class officially covers approximately 13,014 individuals who reside in the United States and whose personal information was involved in the CR&R data security incident that occurred around December 2022.
The vast majority of eligible individuals should have already received a paper settlement package via mail. Because CR&R operates under various regional names like CR&R Environmental Services, you may be included if you are a residential or commercial waste management customer in their service areas. If your notice arrived, it will feature a unique ID and PIN that acts as your key to unlocking the claims portal.
To receive your share of the $500,000 settlement, you must take proactive action. Eligible consumers can complete and submit an official claim form electronically by visiting crrdatasettlement.com. Once on the site, you simply enter your unique notice credentials to choose your preferred payout method, such as Zelle, Venmo, PayPal, a virtual prepaid card, or a traditional paper check.
If you prefer to handle the process manually, you can download a printable PDF copy of the claim form directly from the homepage. Once filled out, the form can be sent via email to info@CRRDataSettlement.com or mailed via the postal service to the settlement administrator’s physical address in Santa Ana, California. All submissions must be completed online or postmarked by August 24, 2026.
Submitting your claim form before the August deadline is the most critical step, but patience will be required before checks and digital deposits are distributed. The court overseeing the case has scheduled a formal final approval hearing for September 14, 2026. At this session, the judge will officially review the deal’s fairness and decide whether to authorize the final distribution of funds.
The settlement administrator is contractually obligated to issue the cash payouts and dispatch the credit monitoring enrollment links approximately 75 days after the court issues its final approval order. This timeline ensures that all submitted claims are properly audited and that any late-stage legal appeals from third parties are entirely cleared.
New cases and investigations, settlement deadlines, and news straight to your inbox.
