Mercor, an AI training firm with a valuation of $10 billion, is facing a sudden surge of legal challenges following a significant data breach that exposed the sensitive information of its workforce. In a single week, contractors filed five separate lawsuits in federal courts across California and Texas, alleging that the company’s negligence violated data privacy and consumer protection laws.
The legal filings suggest a systemic failure to protect personal identifying information (PII), claiming that the breach may have handed “bad actors” access to Social Security numbers, home addresses, and recordings of interviews. For the gig workers who fuel the company’s AI training operations, the breach represents a profound violation of trust and a tangible risk to their financial security.
The fallout has already extended beyond the courtroom. Meta, the parent company of Facebook and a major client of Mercor, has paused its work with the firm while investigating the extent of the security failure. This suspension highlights the precarious nature of the AI supply chain, where the security of a third-party training partner can create immediate liability for the world’s largest tech giants.
The Technical Root: The LiteLLM Breach
The security failure appears to stem from a vulnerability in LiteLLM, an open-source project created by Berrie AI. Mercor confirmed last week that it was impacted by a breach of this project, though the company did not provide a detailed inventory of the stolen data.
The reality of the leak became clearer as hackers began posting sample materials online. These samples reportedly included internal Slack communications and videos featuring conversations between Mercor contractors and an AI system, providing a window into the company’s internal operations and the nature of the training tasks performed by its workers.
For contractors like NaTivia Esson, the breach is not a theoretical risk but a personal crisis. In a lawsuit filed by Esson and her legal team at Strauss Borrelli, she detailed her employment with Mercor from March 2025 to March 2026. Esson noted that she submitted a W-9 form—which contains a Social Security number—every time she accepted a new assignment.
“I trusted the company would apply reasonable measures to protect it,” Esson’s complaint reads. “Because of the data breach, plaintiff anticipates spending considerable amounts of time and money to try and mitigate her injuries.”
Questionable Compliance and the ‘Whistleblower’ Claim
While most of the legal pressure is focused on Mercor, one of the lawsuits expands its scope to include Berrie AI and Delve Technologies. Delve, an “automated compliance” firm, had previously certified that Berrie AI met specific industry security standards.
The complaint in that case introduces a more volatile element: a whistleblower who has allegedly exposed misconduct within Delve Technologies. These allegations mirror a previously published anonymous Substack post that accused Delve of facilitating “fake compliance” and arranging sham security audits to give companies a veneer of safety they had not actually earned.
Delve Technologies has denied these claims, issuing a statement last month rejecting the accusations of fraudulent auditing. Neither Berrie AI nor Delve Technologies responded immediately to requests for comment regarding the current lawsuits.
Timeline of the Mercor Security Crisis
| Event | Detail |
|---|---|
| The Breach | Compromise of the open-source LiteLLM project created by Berrie AI. |
| Client Response | Meta pauses AI training collaboration with Mercor. |
| Public Leak | Hackers post Slack data and contractor-AI interaction videos. |
| Legal Wave | Five contractor lawsuits filed in California and Texas federal courts. |
| Lead Generation | MercorClaims.com goes live around April 1 to attract potential plaintiffs. |
What Contractors Can Expect from Breach Settlements
As the Mercor contractor lawsuits data breach litigation moves forward, the potential for recovery remains uncertain. While the plaintiffs seek unspecified monetary damages, historical data suggests that broad data breach settlements often result in modest individual payouts.
According to a survey of settlements conducted between 2018 and 2021 by Cornerstone Research, the largest cases typically settled for between $1 and $5 per class member. However, those who can provide documentation of actual financial losses—such as identity theft or unauthorized bank withdrawals—may be eligible for higher payments.
Non-monetary relief is also common in these cases, often taking the form of complimentary credit monitoring services for a set period to help victims detect future fraud.
The legal pressure on Mercor may continue to mount. The emergence of MercorClaims.com around April 1 suggests that law firms are already aggressively seeking to build larger class-action suits, even if the site is not yet linked to a specific firm. Mercor has declined to comment on the lawsuits or the ongoing investigation into the breach.
Note: This article discusses ongoing legal proceedings. The information provided is for informational purposes and does not constitute legal advice.
The next critical phase of this story will likely unfold as the federal courts in California and Texas rule on the initial motions to dismiss or allow the cases to proceed to discovery, where Mercor’s internal security protocols will be scrutinized. We will continue to monitor court filings for updates on the proceedings.
Do you have experience with AI training platforms or have you been affected by a data breach? Share your thoughts in the comments or reach out to our newsroom.
