Ally data breach: what happened and what you should do

In April 2024, Ally Bank (owned by Ally Financial) confirmed a breach exposing data of millions of individuals. The incident didn’t happen by breaking into the organization’s systems; it happened through one of the vendors, which stored the data unencrypted and unredacted.

In the last few years, more banking institutions, such as Bank of America, Truist, Chase and Wells Fargo, have experienced similar breaches, outlining a broader, alarming trend affecting consumers on an unprecedented scale.

This post summarizes everything we know about the Ally data breach, discusses the legal developments that followed and provides actionable tips on how to protect your personal and financial data.

What we know about the Ally bank data breach 2024

Timeline of events

Here’s how the Ally bank security breach unfolded:

• April 23, 2024: Ally identified unauthorized access to a vendor system exposing sensitive personal and financial details of Ally customers. 
  
• May 23, 2024: Ally filed the data breach with the Massachusetts Attorney General’s office, confirming the event and outlining the types of exposed data.
  
• Summer 2024: Ally mailed breach notification letters to affected customers, offering three years of complimentary credit monitoring and identity protection services.
  
• Late 2024-2025: Multiple class-action lawsuits were filed against Ally, accusing the bank of negligence and delayed disclosure.

How did the Ally data breach happen?

The 2024 Ally Bank data breach stemmed from a cybersecurity incident involving one of the bank’s third-party vendors. According to a complaint filed on September 7, 2024, an unauthorized party gained access to the vendor’s systems, where customer data tied to Ally accounts was stored. The exposed data was allegedly left unencrypted and unredacted, and none of the widely available security software was used to protect the systems.

While Ally did not disclose the name of the vendor, early investigations confirmed that the attacker compromised Social Security numbers, dates of birth, and auto account numbers of Ally’s customers.

How did Ally respond? 

Ally acknowledged the breach. However, it didn’t specify how long the attackers had access to the data, how many people were affected, or which vendor’s system was compromised.

When the breach was discovered, Ally partnered with a forensics firm to identify how the hackers got access, what data was exposed and how to prevent further damage.

Despite the company’s announcement, multiple class-action lawsuits accused Ally of failing to recognize the breach and mitigate the harm in a timely manner.

Impact on consumers

In the hands of cyber criminals, the data compromised during the Ally data breach poses a significant threat for years to come.

What information was compromised?

The incident exposed customer names, addresses, birthdates, Social Security numbers (SSNs) and auto account numbers. 

How many users were affected?

To date, Ally has not disclosed the number of individuals affected by the data breach. In the class-action lawsuit filed on September 7, 2024, plaintiff Sebestian Owens alleged that the breach resulted in “the exposure of the PII of allegedly billions of individuals.” Similarly, in a separate complaint, Robert Hamilton claimed that the personal information of thousands of customers may have been improperly accessed as a result of the breach.

How does the leaked data put you at risk? 

The Ally data breach leaves affected consumers vulnerable to a number of cyber threats:

• Identity theft: exposed information can be used to open credit lines, take out loans or file false tax returns on behalf of an affected individual.
  
• Dark web data resale: the leaked data may end up on dark web forums for sale, creating new opportunities for criminals to use it with malicious intentions.
  
• Long-term fraud risk: data like Social Security numbers can’t be changed easily, which means fraudsters can successfully manipulate it for years to come.

Legal consequences of the Ally data breach

The Ally bank data breach led to two class-action lawsuits accusing the company of inadequate security measures. These cases sought both monetary compensation and court-ordered changes to improve how Ally protects personal and financial data of its clients.

Class action: Owens v. Ally Bank et al. (Case No. 3:24-cv-00811)

The Owens v. Ally Bank was filed in the U.S. District Court for the Western District of North Carolina. According to lead plaintiff Sebestian Owens, Ally breached its duties by failing to:

• Put in place proper network protections against known threats;
• create and follow reasonable data retention policies;
• train staff adequately on data security;
• follow industry-standard security practices;
• warn customers about its weak security measures;
• adequately encrypt personal information;
• detect the breach quickly enough to limit the damage;
• use software tools to detect and prevent such attacks;
• secure its hardware with reliable protections against vulnerabilities.

Owens also claimed to have suffered actual injury as a result of the Ally Bank data breach. He reportedly discovered an incorrect item on his credit report, involving an auto loan he did not take out, “causing his credit score to precipitously drop.”

The plaintiff and the class members sought financial compensation, including actual and punitive damages, as well as restitution. They also requested a court order requiring Ally to improve its data security practices to prevent future breaches and provide or extend credit monitoring services to help protect affected customers from identity theft.

The case was voluntarily dismissed on February 17, 2025, without the possibility of being refiled.

Class action: Hamilton v. Ally Financial Inc. et al. (Case No. 2:25-cv-00629)

The Hamilton v. Ally lawsuit was filed on September 9, 2024 in the U.S. District Court for the Western District of North Carolina. Hamilton brought this case against Ally for failing to implement reasonable industry standard security practices and properly secure PII and protected health information (PHI). 

It claimed that the exposed data could be sold on the dark web, putting consumers at a significant and indefinite risk of identity theft, which was exacerbated by the fact that the breach disclosed Social Security numbers.

This Ally lawsuit seeks to force Ally to protect all consumer data collected through the course of its business in accordance with law, regulations and best practices, implement and maintain a comprehensive Information Security program, conduct regular security audits, and more.

Not the first time: Ally’s earlier class action over data exposure

On December 6, 2021, Ally faced a lawsuit over a data breach that happened in April 2021, exposing usernames and passwords to the bank’s third-party business associates. The lawsuit alleged that the company failed to adequately safeguard PII and notify those whose data was compromised in a timely manner.

According to the case, the incident was caused by a website programming error rather than a cyberattack, exposing unencrypted login credentials to the bank’s business partners. The compromised data included full names, emails, account numbers, balances and statements, check images, employment details, linked bank account data, tax forms and more. 

On February 13, 2023, the lawsuit was voluntarily dismissed by the plaintiffs, but it still emphasizes the same key themes that re-emerged in the 2024 breach litigations initiated by Owens and Hamilton. 

What to do if you’re affected by the Ally Bank data breach 

Whether you received a breach notice from Ally or simply suspect you were affected, it’s important to act quickly.

Check if your data was exposed

1. Watch for notification letters from Ally. In summer 2024, the bank started sending breach notification letters, specifying the types of data compromised and containing a Sontiq (now TransUnion) activation code for credit monitoring, among other things.
    
2. Check Ally’s official updates. Visit Ally’s Security Center page for breach updates and recommendations on how to protect your personal and financial information. 
   
3. Contact Ally support or Sontiq if unsure: Call Ally’s fraud line at 1-877-247-2559, or (877) 432-7463 to talk with a Sontiq fraud specialist.

Secure your accounts

1. Use the protections Ally offered. Activate Sontiq’s three-year credit monitoring plan, which includes an initial 3-bureau credit report and credit score, unlimited online access to a TransUnion credit report score, online credit score trending, the ability to set up credit alerts, and more.
   
2. Freeze your credit with all three bureaus. Placing a credit freeze on your files makes it difficult for fraudsters to open an account on your behalf. However, it won’t stop them from making changes to your existing accounts.
   
3. Review your credit reports at AnnualCreditReport.com. Check your credit reports with Equifax, Experian and TransUnion for activity that you don’t recognize. It’s free.
   
4. Set up transaction alerts. Fraud alerts notify creditors that someone is trying to steal your identity and prompt them to contact you before opening new accounts or making any changes to your existing files. You can place a fraud alert with one of the three major credit bureaus, and once they confirm it, fraud alerts will be automatically placed with the other two bureaus, too.

Join the class action Ally lawsuit if eligible

1. Check eligibility requirements. Most plaintiff firms require that you had an Ally account when the breach happened and/or received Ally’s notification letter.
   
2. Know the case to cite. You can join the Hamilton v. Ally Financial Inc. — E.D. Pa., No. 2:25-cv-00629 class-action lawsuit.
   
3. Contact law firms representing plaintiffs. In most cases, you can apply online or by phone. Make sure to document any losses or fraud attempts to increase future payouts.

How to protect yourself from future breaches

Take the following steps to protect your digital identity in case of future breaches similar to Ally’s.

Secure your network

• Keep your router’s software updated at all times and change the default admin credentials. 
  
• Use WPA2 or WPA3 encryption. If your router doesn’t support either, it’s time to upgrade as older standards like WPA and WEP are not secure.
  
• Turn off WPS (Wi-Fi Protected Setup) and remote management if you don’t use them.
  
• Move your IoT devices to a separate network. That way, if one of them gets hacked, it won’t expose your entire system.

Monitor connected devices

• Regularly check what devices are connected to your network. 
• Remove any gadgets you don’t recognize. 
• Ensure timely updates of your software as hackers tend to exploit vulnerabilities in outdated systems.

Strengthen your passwords

• Create new, strong passwords, unique for each account you are using, by combining letters, digits and special symbols. It might as well be a combination of words that makes sense to you only. You can also use a password manager to create a strong, random password. 
  
• Set up MFA (multi-factor authentication) to make sure your data is safe even when your password has been compromised.

Recognize and avoid scams

• Don’t click suspicious links or attachments. Take a moment to hover over a link and see the source: does it look like the official website or email?
  
• When in doubt, contact the company to confirm they actually reached out.
  
• Report phishing emails and block the senders.

Be cautious with public Wi-Fi

Always choose your mobile network or a reliable VPN over public Wi-Fi and turn off auto-join.

Act fast if you’re hacked

• Freeze your credit lines or place alerts. 
• Change your passwords. 
• Reach out to your financial institutions. 

Avoid oversharing online

Review privacy settings across all your social media accounts and restrict access to your personal information as much as you can. Be careful connecting with or talking to people you don’t know.

Limit your personal data exposure

• Avoid giving away your personal details unless absolutely necessary. Don’t hesitate to ask how your information will be stored and used to be able evaluate your risks. 
  
• Be careful what you share on social media. Details like geotags, your birthdate, or family connections can help criminals craft convincing phishing or impersonation attacks.

How Onerep can help you stay private and protected

When your personal data is exposed in a breach, cybercriminals can combine it with other information available about you online, which makes identity theft, phishing, impersonation, and other forms of data abuse more likely.

Onerep helps protect you and your family from these risks by finding your publicly visible information on 230+ data brokers and people-search sites, and opting you out of the platforms that expose it. 

This effectively reduces your digital footprint and removes your exposed data not only from privacy-breaching websites, but also from Google, making you a far more difficult target for scammers and identity thieves. When your data has been deleted, Onerep regularly scans the web to make sure it doesn’t reappear.

FAQs

What is the Ally Bank data breach?

The Ally Bank security breach is an incident that was discovered on April 23, 2024, and resulted in unauthorized access to consumer data by breaking into a system of one of the bank’s business partners. The compromised information included names, addresses, dates of birth, Social Security numbers and auto account numbers. To this date, the exact scope of the breach remains unknown. 

Is Ally Bank safe to use after the breach?

No bank can give you a 100% guarantee that your data won’t be exposed, but generally, Ally is considered to be a reliable bank. It has FDIC insurance, which means that your money is protected by the federal government. Also, they employ a comprehensive security strategy to safeguard your personal information, such as antivirus and anit-malware protection, firewalls, Transport Layer Security (TLS) encryption, multi-factor authentication and account monitoring, among other things.

Can I join the Ally class-action lawsuit?

Yes, you can join the Hamilton v. Ally Financial Inc. — E.D. Pa., No. 2:25-cv-00629 class-action lawsuit if you’re eligible. Contact a plaintiff firm to discuss your chances. 

Was Ally Bank hacked recently?

Aside from the 2024 Ally security breach discussed in this article, no incidents have been reported recently.

What is the status of the Ally settlement?

The Owens case was closed without a settlement, and the Hamilton lawsuit is in its procedural phase.