The “unreasonable and inadequate” cybersecurity practices of Ally Financial Inc. and its online Ally Bank subsidiary left the personal data of “potentially billions” of its customers exposed to theft in an April data breach,a proposed class action said.
The financial holding company’s platform offering banking, home and auto loans, and other services, failed to encrypt or redact the personally identifying information of its customers, according to a complaint filed on Sept. 7 in the US District Court for the Western District of North Carolina. It also failed to use widely available software able to detect and prevent a cyberattack or employ other measures to secure its systems’ hardware, it said.
Ally first learned that an unauthorized third party gained access to its systems on April 23, according to the complaint. The company sent a notice letter to the Massachusetts attorney general’s office on May 23 disclosing that customers’ Social Security numbers, birthdates, and auto account numbers were among the information accessed, it said, but not specifying how the breach occurred or the number of customers affected.
None of the impacted current or former customers has received notification yet from Ally, according to the complaint, which estimated the number of individuals could range into the billions. Ally had 11 million customers in 2023, according to its 10-K annual report.
Customers PII stolen from Ally was then sold on the dark web, the filing said.
Plaintiff Sebestian Owens, a South Carolina resident, filed the proposed class action after finding his credit report listed an auto loan he didn’t take out that he said caused his credit score “to precipitously drop.”
The complaint accuses Ally of negligence, breach of implied contract, and unjust enrichment. The suit seeks monetary and injunctive relief, including requiring Ally to update its data security practices to prevent future breaches.
Representatives for Ally didn’t immediately respond to a request for comment.
The Van Winkle Law Firm and Kopelowitz Ostrow PA represent the plaintiffs.