Ally Financial faces two class action lawsuits in the wake of a data breach earlier this year.  

Plaintiff Sebastian Owens, among others in the class action suit, according to court documents filed in the District Court of Western District of North Carolina on Sept. 7, are suing Ally Financial subsidiary Detroit-based Ally Bank for:  

• Failing to design, implement and maintain reasonable data retention policies; and 

• Failing to encrypt personally identifiable information (PII). 

Ally notified clients May 23 that it had experienced a data breach in April that allowed an unauthorized party to access a vendor’s systems, exposing Social Security numbers, birthdates and other PII, according to court documents. 

The Sept. 7 filing has more than 100 members and the amount plaintiffs seek exceeds $5,000,000, according to court documents. 

The second suit was filed Sept. 9 by Robert Hamilton in North Carolina, according to court documents. Hamilton and other class members accuse Ally Bank of: 

• Failing to secure PII. 

Cybersecurity experts weigh in

“To prevent breaches involving third-party vendors, it’s critical for companies in the financial industry to implement reasonable industry standard security practices, such as securing all their endpoints, networks and business applications,” David Cottingham, president of cybersecurity company rf IDEAS, told Bank Automation News. 

Paul Martini, chief executive of cloud cybersecurity company iboss, agrees. 

To strengthen its cybersecurity efforts following the breach, the $191 billion Ally should adopt a zero-trust framework policy, he told BAN. 

A zero-trust framework requires that all user identification be validated, authorized and authenticated throughout the time a platform is being used rather than verifying credentials only once during the login process, according to cybersecurity and software company CrowdStrike. 

A zero-trust framework “would improve security through adaptive access policies and real-time threat detection,” Martini said.  

Avoiding breaches

Ally, according to the lawsuit, should also implement the following tech-driven practices to improve its security: 

• Automate anti-virus scans; 

• Scan emails to detect fraud threats; 

• Verify email senders; 

• Update and patch operating systems regularly; and 

• Use caution with links and when entering website addresses. 

Ally did not respond to Bank Automation News’ request for comment by publication time. 

Recent breaches

Twenty percent of all global cyberattacks targeted financial institutions and 65% of all cyberattacks targeted U.S. organizations, according to a Sept. 10 Trustwave Risk Radar Report. 

Recent data breaches: 

• The $3.2 trillion Bank of America in May reported that a breach at its cloud provider, Infosys McCamish Solutions, exposed sensitive information of 57,000 customers.  

• The $1.9 trillion Santander Bank on June 18 filed a notice with the Attorney General’s Offices of Maine and Vermont to inform regulators that it had suffered a data breach in April that resulted in hackers obtaining sensitive information of 12,786 customers.  

• The $1.6 billion Evolve Trust Bank reported that it had suffered a breach in late May from cybercriminal organization Lockbit, which downloaded sensitive customer information, according to an Aug. 6 release. 

Register for the complimentary webinar presented by Bank Automation News: “The future of open banking: Payments meet data,” on Tuesday, Sept. 17, at 11 a.m. ET. Register for the webinar here.