We research all brands listed and may earn a fee from our partners. Research and financial considerations may influence how brands are displayed. Not all brands are included. Learn more.

Editor:
Published: Sep 25, 2024 5 min read
Photo of a hand holding a smartphone with the Ally Bank Logo
Money; Shutterstock

Ally, an online financial services company with a popular bank, is facing two lawsuits after a data breach may have exposed customers' personal information.

One complaint alleges thousands of people were affected, while another claims that "billions" of items of personally identifiable information (PII) — including Social Security numbers — were exposed.

In a Tuesday email to Money, Ally declined to comment on what it called the "pending litigation."

Ads by Money. We may be compensated if you click this ad.AdAds by Money disclaimer
Having your identity stolen may come at a high cost
With Aura in your corner, you'll have the proper software to protect your every online move. Nowadays, we all need Identity Theft Protection. Find yours by clicking on your state below.
HawaiiAlaskaFloridaSouth CarolinaGeorgiaAlabamaNorth CarolinaTennesseeRIRhode IslandCTConnecticutMAMassachusettsMaineNHNew HampshireVTVermontNew YorkNJNew JerseyDEDelawareMDMarylandWest VirginiaOhioMichiganArizonaNevadaUtahColoradoNew MexicoSouth DakotaIowaIndianaIllinoisMinnesotaWisconsinMissouriLouisianaVirginiaDCWashington DCIdahoCaliforniaNorth DakotaWashingtonOregonMontanaWyomingNebraskaKansasOklahomaPennsylvaniaKentuckyMississippiArkansasTexas
View Plans

However, the company did acknowledge the incident in a May letter to affected individuals that notified them of a breach and offered identity theft protection resources through Sontiq, which is part of TransUnion, at the bank’s expense.

"We understand how frustrating this experience may be for you and apologize for not meeting your expectations," Ally wrote. "Nothing is more important to us than doing it right for you … Thank you, as always, for letting us be your ally."

Although key questions remain unanswered, here’s what we know so far:

What happened in the Ally data breach

Ally notified the Massachusetts Attorney General's office that it had discovered on April 23 that an "unauthorized party" may have accessed personal data through a vendor’s systems, according to the notice.

"The information involved included your Social Security number, date of birth and auto account number," the letter said, adding that the vendor had contracted a computer forensics firm to investigate and "secure the impacted systems."

Ally is now named in two proposed class-action lawsuits. Both were filed in the U.S. District Court for the Western District of North Carolina.

In the first suit, filed on Sept. 7, Ally customer Sebestian Owens of South Carolina alleges that someone took out an auto loan in his name after the breach, hurting his credit score. He claims that his personal data was sold by cybercriminals and wound up on the dark web.

Moreover, his attorneys allege that Ally's failure to prevent cyberattacks led to "the exposure of the PII of allegedly billions of individuals."

Three days later, Texas resident Robert Hamilton filed a similar complaint arguing that he and thousands of others are owed damages because Ally did not protect their data. Hamilton, who previously used Ally to finance two vehicles, says he received a letter from Ally on Aug. 30 notifying him that he was affected by a breach. The lawsuit describes this as a "long delay" after the incident, which he said has exposed him to a high risk of identity theft.

How many people are affected by the breach

Class-action lawsuits are filed on behalf of groups of people who may have experienced harm. They must be certified in order to move forward. Ultimately, if a settlement is reached and approved by a judge, victims can receive payouts from the settlement fund.

At this point, there’s no official estimate of the size of the breach from either Ally or a government source. Here are the descriptions of the scope of the breach from the two lawsuits:

  • The Owens complaint says that "potentially billions of individuals will soon be notified by Ally of the Breach. The Class is apparently identifiable within Ally’s records, and Ally has already identified these individuals or is in the process of doing so."
  • The Hamilton complaint alleges that the breach may have affected "thousands to tens of thousands of individuals’ detailed personal information.”

Ally has about 11 million customers.

How to protect yourself after the Ally data breach

If your personal data becomes compromised in any data breach, there are actions you can take to safeguard your identity. These include freezing your credit, changing passwords and checking your credit reports.

Everyone can (and should) regularly check their credit reports and credit score, which you can do on a regular basis at no cost. Look out for any unrecognized accounts or unexplained decreases in your credit score.

If you spot any malicious activity, you should report the issue to authorities, file an identity theft complaint with the Federal Trade Commission and contact your banks. You can also place a fraud alert with the credit bureaus.

Also consider freezing your credit. In light of recent breaches, some experts say that everyone should take this step, which prevents criminals from applying for loans using your Social Security number.

Ads by Money. We may be compensated if you click this ad.AdAds by Money disclaimer

Includes VPN & password manager

šŸ”„ Best sale of the year 78% Today

  • 250X Faster Fraud Alerts than Competitors*
  • Up to $5 Million in Identity Theft Insurance
  • AI Spam Call & Message Protection
  • 3-Bureau Credit Monitoring & Credit Lock Service
  • Monthly Credit ScoreĀ¹ & Annual Credit Reports

Up to $3 million identity theft coverage

šŸ”„ Get Up to 52% Off Your First Year

  • Up to $3 Million ID Theft Coverage*
  • 401(k) & Investment Account AlertsĀ¹
  • 3-Bureau Credit & SSN MonitoringĀ¹
  • Add Device Security & VPN

Comprehensive 3-bureau monitoring system

Best Sale of the year 63% off 

  • All Plans Include $1 Million Identity Theft Insurance*
  • Real Time Monitoring of Your SSN, Accounts & Identity
  • 3-Bureau Credit Monitoring & Monthly Credit ScoreĀ¹
  • Online and Device Security

Over 40 years of experience in the field

  • $1 million identity theft insurance & recovery
  • 3 bureau credit monitoring
  • Bank and credit card activity alerts
  • VPN through mobile app

More from Money:

8 Best Identity Theft Protection Services of September 2024

Was Every American's Social Security Number Really Just Hacked?

Dollar Scholar Asks: When and Why Should I Freeze My Credit?

Ads by Money. We may be compensated if you click this ad.Ad
Protect yourself from the threat of Identity Theft with Aura