Lawsuits Accuse Ally of Failing to Protect Customers From Data Breach
Ally, an online financial services company with a popular bank, is facing two lawsuits after a data breach may have exposed customers' personal information.
One complaint alleges thousands of people were affected, while another claims that "billions" of items of personally identifiable information (PII) — including Social Security numbers — were exposed.
In a Tuesday email to Money, Ally declined to comment on what it called the "pending litigation."
However, the company did acknowledge the incident in a May letter to affected individuals that notified them of a breach and offered identity theft protection resources through Sontiq, which is part of TransUnion, at the bank’s expense.
"We understand how frustrating this experience may be for you and apologize for not meeting your expectations," Ally wrote. "Nothing is more important to us than doing it right for you … Thank you, as always, for letting us be your ally."
Although key questions remain unanswered, here’s what we know so far:
What happened in the Ally data breach
Ally notified the Massachusetts Attorney General's office that it had discovered on April 23 that an "unauthorized party" may have accessed personal data through a vendor’s systems, according to the notice.
"The information involved included your Social Security number, date of birth and auto account number," the letter said, adding that the vendor had contracted a computer forensics firm to investigate and "secure the impacted systems."
Ally is now named in two proposed class-action lawsuits. Both were filed in the U.S. District Court for the Western District of North Carolina.
In the first suit, filed on Sept. 7, Ally customer Sebestian Owens of South Carolina alleges that someone took out an auto loan in his name after the breach, hurting his credit score. He claims that his personal data was sold by cybercriminals and wound up on the dark web.
Moreover, his attorneys allege that Ally's failure to prevent cyberattacks led to "the exposure of the PII of allegedly billions of individuals."
Three days later, Texas resident Robert Hamilton filed a similar complaint arguing that he and thousands of others are owed damages because Ally did not protect their data. Hamilton, who previously used Ally to finance two vehicles, says he received a letter from Ally on Aug. 30 notifying him that he was affected by a breach. The lawsuit describes this as a "long delay" after the incident, which he said has exposed him to a high risk of identity theft.
How many people are affected by the breach
Class-action lawsuits are filed on behalf of groups of people who may have experienced harm. They must be certified in order to move forward. Ultimately, if a settlement is reached and approved by a judge, victims can receive payouts from the settlement fund.
At this point, there’s no official estimate of the size of the breach from either Ally or a government source. Here are the descriptions of the scope of the breach from the two lawsuits:
- The Owens complaint says that "potentially billions of individuals will soon be notified by Ally of the Breach. The Class is apparently identifiable within Ally’s records, and Ally has already identified these individuals or is in the process of doing so."
- The Hamilton complaint alleges that the breach may have affected "thousands to tens of thousands of individuals’ detailed personal information.”
Ally has about 11 million customers.
How to protect yourself after the Ally data breach
If your personal data becomes compromised in any data breach, there are actions you can take to safeguard your identity. These include freezing your credit, changing passwords and checking your credit reports.
Everyone can (and should) regularly check their credit reports and credit score, which you can do on a regular basis at no cost. Look out for any unrecognized accounts or unexplained decreases in your credit score.
If you spot any malicious activity, you should report the issue to authorities, file an identity theft complaint with the Federal Trade Commission and contact your banks. You can also place a fraud alert with the credit bureaus.
Also consider freezing your credit. In light of recent breaches, some experts say that everyone should take this step, which prevents criminals from applying for loans using your Social Security number.
More from Money:
8 Best Identity Theft Protection Services of September 2024
Was Every American's Social Security Number Really Just Hacked?
Dollar Scholar Asks: When and Why Should I Freeze My Credit?