Ally Bank

Two lawsuits filed against Ally Bank this month accuse the company of failing to protect customer data from breaches, and of taking too long to notify customers after the compromise of personal data, including Social Security numbers. 

Data breach lawsuits have become more common as breaches themselves happen with unrelenting frequency. The number of data breaches in the U.S. rose from 447 in 2012 to more than 3,200 in 2023, according to Statista. In a more recent trend, cybercriminals often publish and sell the stolen customer data on the dark web. 

“We’re at the ‘unsafe at any speed’ point in data,” said consultant Allison Sagraves, who formerly was chief data officer at M&T Bank. “Customers are smart enough to know that digital products need to be designed with reasonable safety protocols. Digital negligence is real — consumers expect companies to use appropriate safety protocols. Breaches will happen, but we need to continue to work on building safer digital traffic.”  

Both of the lawsuits against Detroit-based Ally Financial and its banking subsidiary were filed in the U.S. District Court Western District of North Carolina. Both claim that the bank failed to implement adequate and reasonable cybersecurity procedures and protocols necessary to protect customers’ personally identifiable information.

Both complaints say the plaintiffs are at risk of fraud and identity theft for the rest of their lives. Both seek damages, lawyers’ fees and action by the bank to address its cybersecurity shortcomings. The claims were filed by different law firms, but contain snippets of identical language.

It was not clear, based on the information included in the complaints, whether the cases involve separate data breaches. But the two suits describe customers being notified at different times, suggesting that they may involve separate incidents.

Ally declined to comment.

In one of the complaints, Robert Hamilton, who lives in Odessa, Texas, and had two auto loans with Ally, said he found out that the bank had been breached on Aug. 1.

According to Hamilton, an unauthorized third party gained access to a vendor’s system at an undisclosed time, obtaining full names, Social Security numbers, dates of birth, addresses, drivers’ license numbers, email addresses and phone numbers of Ally customers. The vendor was the collections agency Financial Business and Consumer Solutions, according to a footnote in the complaint.

“The cyberattack and ensuing data breach were the result of Defendants’ failure to implement reasonable and industry-standard data security practices,” the complaint states. Hamilton received a data breach notification letter on Aug. 30. The complaint does not explain how he found out about the breach nearly a month before receiving the letter.

“Defendants could have prevented this Data Breach by properly encrypting or otherwise protecting its systems and those it utilizes containing Private Information,” the complaint states. It quotes the bank’s assertion on its website that it protects customer data: “[w]e restrict access to the personal information obtained from our website to only those employees, agents and contractors who need it to do their jobs. We maintain administrative, technical, and physical safeguards designed to protect your personal information.”

Hamilton’s complaint also accuses Ally of failing to inform customers that it was storing or sharing customers’ personally identifiable information “on an [unsecure] platform, accessible to unauthorized parties from the internet, and would do so after the customer relationship ended.”

Hamilton is asking the court to require the bank to make many sweeping changes to its data security practices, including requiring it to encrypt all customer data, delete ex-customers’ data, implement a comprehensive information security program, do pen testing and use firewalls and access controls.

In the second suit, Sebestian Owens, a South Carolina resident, says he received a data breach notice dated May 23. In the notice, Ally Bank said it became aware on Apr. 23 that Owens’ personal information may have been accessed by an unauthorized party who gained access to a vendor’s systems, according to the complaint. The vendor was not named. The exposed information included Social Security numbers, dates of birth and auto account numbers.

Owens believes this information was published and sold on the dark web by cybercriminals, according to the lawsuit. Ally failed to adequately protect, encrypt or redact sensitive personally identifiable information, the complaint states.

“The exposure of one’s PII to cybercriminals is a bell that cannot be un-rung,” the complaint states. “Before this Data Breach, Plaintiff’s and the Class’s PII was exactly that — private. Not anymore. Now, their PII is forever exposed and unsecure.”

Lawsuits like these will drive more investment in cybersecurity, Sagraves said. “As a litigious society, we don’t always get this balance right,” she said.