STIIIZY Data Breach Settlement 2026: $2.95 Million — Who Can File and What It Pays
STIIIZY agreed to a $2.95 million settlement over the late-2024 breach that exposed government IDs and purchase histories of roughly 380,000 cannabis customers. Claims are open until September 10, 2026 — California residents get a doubled share.
Last reviewed: April 2026
Editorially Reviewed — Content reviewed for accuracy using published legal research, government data, and verified court records. See our methodology
Reviewed by Leonard Goldberg, Editor · Last updated
What the Lawsuit Alleges
Between October 10 and November 10, 2024, attackers compromised a point-of-sale vendor serving four California STIIIZY locations (two in San Francisco, plus Alameda and Modesto). The Everest ransomware group claimed the attack and alleged 422,075 stolen customer records; STIIIZY notified about 380,000 people. What makes this breach unusually sensitive: exposed data included driver's licenses, passport numbers, government-ID photographs, medical cannabis cards, and cannabis purchase histories — identity documents tied to legally sensitive purchases. The class action (In re: STIIIZY Inc. Data Breach Security Litigation) alleged STIIIZY failed to secure customer data and delayed disclosure (breach ran October–November 2024; public notice came January 10, 2025). STIIIZY denies wrongdoing but agreed to a $2.95 million settlement.
Case Details
U.S. District Court for the Central District of California — Case No. 2:25-cv-00490, Judge George H. Wu. Defendants: STIIIZY, Inc. and CV Wellness, LLC. Official administrator site: stiiizydatabreachsettlement.com.
Current Status
Who Is Affected & Can You Join?
Anyone whose personal information was accessed or compromised in STIIIZY's October 2024 incident — core class: customers of the four affected California stores (STIIIZY Union Square SF, Mission SF, Alameda, Modesto) during the breach window. You do NOT need to show actual fraud; being affected is enough. California residents form a subclass that receives twice the pro-rata share of non-California members.
Is There a Payout?
Case Timeline
- 1
October–November 2024 — The Breach
Attackers compromise a point-of-sale vendor used by four California STIIIZY stores (Oct 10 – Nov 10). The Everest ransomware group later claims the attack and lists STIIIZY on its leak site, alleging 422,075 stolen records.
- 2
January 10, 2025 — Public Disclosure
STIIIZY publicly discloses the incident and begins notifying ~380,000 customers. The first class action (G.E. v. STIIIZY Inc.) is filed in the Central District of California one week later.
- 3
May 28, 2026 — Preliminary Approval
Judge George H. Wu preliminarily approves the $2.95 million settlement covering STIIIZY, Inc. and CV Wellness, LLC.
- 4
June 26, 2026 — Notice Campaign
The administrator begins mailing and emailing notices — the reason searches for this settlement spiked in early July.
- 5
August 26 / September 10, 2026 — Deadlines
Opt-out and objection deadline August 26; claim-filing deadline September 10, 2026 at stiiizydatabreachsettlement.com.
- 6
October 19, 2026 — Final Approval Hearing
Hearing at 8:30 a.m. PT before Judge Wu. Payments follow final approval plus any appeal period — realistically 2027.
Scam & Misinformation Warnings
Whenever a brand lawsuit goes viral, scam sites and bad actors follow. Watch for these red flags:
Phishing that impersonates the administrator
The real administrator ([email protected], 1-855-907-2590) never asks for your Social Security number, bank login, or a 'processing fee.' The breach exposed government IDs — scammers already have enough to sound convincing, so verify the domain before entering anything.
Lookalike claim sites harvesting ID documents
Because documented-loss claims can involve uploading proof, fake portals (stiiizy-settlement.com and similar) target exactly those uploads. The only legitimate site is stiiizydatabreachsettlement.com.
'Larger payout' calls and texts
Nobody legitimate calls offering a bigger share in exchange for your driver's license or passport number. The payment options are fixed by the court-approved plan — anyone promising more is stealing identities.
Frequently Asked Questions
How much will I get from the STIIIZY settlement?
It depends on which option you pick and how many people file. Documented out-of-pocket losses pay up to $7,500 with proof. The no-documentation pro-rata cash payment comes from a ~$1.9M net fund shared among all cash claimants — California residents receive a doubled share. The third option, two years of three-bureau credit monitoring with $1M identity-theft insurance, has a retail value that likely exceeds a small cash payment if your ID documents were exposed.
When is the claim deadline?
September 10, 2026. The opt-out/objection deadline is earlier — August 26, 2026 — and the final approval hearing is October 19, 2026.
Who is eligible?
Anyone notified that their data was involved in STIIIZY's October 2024 incident — primarily customers of the four affected California stores (Union Square SF, Mission SF, Alameda, Modesto) between October 10 and November 10, 2024. You don't need to have suffered fraud. California residents automatically get a doubled pro-rata share.
What data was exposed?
According to the notifications: driver's license and passport numbers, government-ID photographs and signatures, medical cannabis cards, dates of birth, addresses, and purchase/transaction histories. That combination — identity documents plus cannabis purchase records — is why this breach is treated as unusually sensitive.
Was my cannabis purchase history leaked publicly?
The Everest ransomware group claimed the theft and listed STIIIZY on its leak site in late 2024, which typically means stolen data was published or sold when no ransom was paid. Treat the exposed information as compromised: freeze your credit, watch for ID-based fraud, and consider the settlement's monitoring option.
When will payments arrive?
After the October 19, 2026 final approval hearing plus any appeals — realistically sometime in 2027. Filing by September 10, 2026 is what secures your place; the administrator posts timing updates on the official site.
Does filing affect my privacy further?
The claim form asks for contact details and, for documented losses, supporting receipts — filed with the court-appointed administrator under the settlement's confidentiality terms. It does not create a public record of your purchases. Use only the official site.