Ally Bank is facing a proposed class action lawsuit over an April data breach in which an unauthorized user accessed customers' sensitive information, including their Social Security numbers. Â
The complaint, filed this month in the US District Court for the Western District of North Carolina, alleges that the breach compromised both former and current Ally Bank customers and that collected data has been sold on the dark web, Bloomberg Law first reported.
The data breach potentially impacted "billions" of people, according to the lawsuit. In Ally Bank's 2023 annual report, the company said it currently serves about 11 million customers.Â
Ally Bank notified the Massachusetts Attorney General's office of the breach on May 23. According to the bank's memo, criminals gained access to customers' auto account numbers, dates of birth and Social Security numbers through a vendor's systems. It did not specify the third-party company or how many customers were affected. If you were affected, you should be receiving a notice in the mail.Â
In a sample letter sent to customers, the company wrote, "We understand how frustrating this experience may be for you and apologize for not meeting your expectations. Nothing is more important to us than doing it right for you."
Ally Bank is offering three years of identity theft protection to affected individuals through Sontiq, a TransUnion company. Ally Bank did not immediately respond to CNET's request for comment.Â
Aura was founded in 2017 by CEO Hari Ravichandran after his identity was stolen a few years earlier. We believe Aura gives you the most bang for your buck compared with the competition. For a reasonable monthly price, you can get features rival services make you upgrade for. We also appreciate its straightforward pricing model (just four plans to choose from).Â
Like most identity theft protection services, Aura scans the dark web for your personal information, in addition to monitoring your Social Security number and criminal record activity for potential signs of identity theft. Aura subscribers also receive identity theft insurance of up to $1 million per adult.Â
Aura’s plans also include perks like a virtual private network, email aliases to keep unwanted emails out of your inbox, and antivirus protection on up to 10 devices per adult. We also like that Aura offers three credit bureau monitoring with all plans. Typically, providers only offer three credit bureau monitoring through their most expensive tier.Â
Starts at $13 per month
- $13 per month for Kids plan
- $15 per month for Individual plan
- $29 per month for Couple plan
- $50 per month for Family plan
Annual plans cost $120 for Kids, $144 for individuals, $228 for couples and $240 for families (five adults and unlimited children) under current promotional pricing.
The prices displayed below are current as of March 31. You may receive a discount when clicking on CNET’s link.
Bank breaches occur regularly
Some of the biggest breaches in recent history have involved banks, including the 2019 Capital One data breach and the cyberattack on JPMorgan Chase one decade ago. Hackers who successfully infiltrate a company or vendor's systems get access to massive amounts of personal and financial data.Â
"The complexity of financial systems and the sheer volume of sensitive information make banks a prime target for cyberattacks," said Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance, in an email. "The potential for financial gain and reputational damage makes them a consistent focus for cybercriminals. However, breaches that result in actual theft of funds from the bank's systems are less common than those targeting customer data."
Your data may also be compromised by bank employees with access to your account. This happened to Ally Bank in May 2023, according to a memo sent to Maine's attorney general's office last year. TD Bank reported a similar incident in July.
So far this year, Bank of America and Varo Bank -- in addition to TD Bank and Ally Bank -- have reported data breaches that compromised customer data. Overall, these breaches are seemingly smaller in scale than the National Public Data, Ticketmaster and AT&T breaches that made headlines this year, which together impacted hundreds of millions of customers.Â
According to Steinhauer, data breaches are becoming more common as industries from banking to healthcare rely on digital systems and data to operate efficiently.
"Unfortunately, this growing dependence on data has made organizations more vulnerable to cyberattacks," he said.Â
How to protect your identity after a data breach
When your data is compromised, that doesn't automatically mean your identity will be stolen. Because identity thieves will have a more complete profile of you, it's easier for them to steal your identity or craft more targeted scams against you.
Below are some tips on how you can protect your identity, credit reports, money and other accounts after your data is compromised.
First, change your password
If you learn your data was compromised in a breach, the first step should be to change your password for the affected account to avoid any unauthorized access. If you use the same password for other accounts, it’s a good idea to update those too.
Experts suggest you have a unique password for each online account you create. If you’re finding this difficult to manage, try keeping your passwords safe with a password manager.
Freeze your credit
Freezing your credit with Equifax, Experian and TransUnion is the best way to keep bad actors from opening new credit accounts in your name. You'll have to unfreeze your credit any time you want to apply for a new credit card or car loan, but the benefits outweigh the hassle (you can read about my own experience freezing my credit here).Â
Freezing your credit is free, but keep in mind that cybercriminals may still gain access to your existing credit and bank accounts, so this is not a foolproof solution.Â
Keep an eye on your credit reports
Ally Bank is offering customers affected by the data breach free Sontiq identity theft protection services for three years.Â
What services is Ally Bank offering customers through Sontiq?
- Unlimited online access to a TransUnion credit report and score
- Access to TransUnion credit lock, allowing you to instantly lock and unlock your TransUnion Credit Report
- Daily three-bureau credit monitoring
- Access to up to $1,000,000 identity theft expense reimbursement insurance
- White glove restoration services in the event your identity is stolen
Make sure to download a free credit report from each of the three major credit bureaus at AnnualCreditReport.com to check for any new credit accounts you did not open. Additionally, get in the habit of checking your bank statements for any fraudulent charges. If you notice any, report them to your bank right away.
Watch out for phishing and smishing attempts
Once they have your personal data, identity thieves could target you via phishing emails and smishing texts to extract even more information. Cybercriminals are crafty in devising effective fraud schemes to dupe victims, especially with so much of our personal information available online and through social media.
It’s important to not click random links in your texts or emails, which can lead to malicious software being downloaded onto your devices.
Also, do not provide your financial account information or Social Security number on a whim to anyone, as this can lead to unauthorized access to your bank accounts or even identity theft.
Sign up for identity theft protection
Data breaches occur often, so if you’re concerned about your identity being protected, you might want to sign up for long-term identity theft protection after your Equifax trial ends, or if you want more protection than this coverage offers. You can buy individual coverage from $7 to $15 per month or family plans to keep your spouse and kids secure. Identity theft protection services will alert you if your sensitive data is on the dark web and can notify you of any data breaches that may impact you.
