Allianz Data Breach Exposing PII of Almost 1.4M Brings Bevy of Lawsuits
A July data breach of Allianz Life Insurance Co. of North America precipitated a flurry of lawsuits alleging inadequate safety procedures. The company said the data breach exposed the personal information of most of its 1.4 million U.S. customers and stakeholders.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
On July 16, “a malicious threat actor gained access to a third-party, cloud-based CRM system,” a company spokesperson said in an email. “The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees, using a social engineering technique.”
Allianz “took immediate action to contain and mitigate the issue and notified the FBI,” the spokesperson added. The investigation continues, though there's no evidence that other systems or the Allianz network itself were breached.
Class-action lawsuits started to be filed days after the breach, with the first, in the U.S. District Court for Minnesota, coming July 28 (case 25-03020, Simeon Taylor v. Allianz Life Insurance Company of North America). The complaint document faults Allianz for gathering a "vast volume of Personal Information" and protecting it inadequately, despite acknowledging "the real risk of a data breach for years."
Had Allianz "employed basic, long-established, and recommended security tools, the Data Breach should have been easily thwarted," the complaint added.
The harms to customers outlined in the complaint include loss of privacy, misappropriation of identity, fraud and identity theft as a result of misuse of stolen personal data and lost time, effort and expense in responding to and preventing the harm posed by the breach.
At the time that suit was filed, plaintiff Simeon Taylor noted he had yet to receive a notification letter about the breach.
The most recent lawsuit is case 25-03139, filed Wednesday. The complaint in Lennon v. Allianz alleged that Social Security numbers, policy and contract numbers, mailing addresses and phone numbers were exposed in the breach.
Similar to the first suit, this complaint critiqued Allianz for failure "to take all reasonable and necessary measures to keep the Private Information collected safe and secure from unauthorized access."
Some of the other class-action complaints include Thompson v. Allianz, filed Monday; Fematt v. Allianz on Tuesday; and Canick v. Allianz, also filed Wednesday. All the suits against the Minneapolis-based company were filed in the U.S. District Court for Minnesota.
An Allianz Life spokesperson said Thursday that the company doesn't comment on pending litigation.
The Maine attorney general's office reported the breach on July 25, and said it was discovered July 17. It didn't report how many individuals or state residents were impacted. Allianz Life will provide 24 months of credit monitoring and identity theft restoration through Kroll, the Maine OAG site said.
Iowa's OAG also reported the breach July 25, and included a sample notification letter that said there was "an immediate temporary shut-down" of the website after discovering the breach on July 19 and 20, and that Allianz "implemented heightened security monitoring of the secure website" once it re-opened.
The New Hampshire AG website had a copy of the same letter on its breach site, which it said it received on July 28.
California's AG Office reported the breach July 25, but included no other information. The Texas AG reported the breach July 28, but said only one Texan was affected, and notice was not provided to customers.