USAA data breach: what you need to know and do following the financial and military-affiliated data security incidents

Financial organizations are prime targets for cybercriminals—recent breaches at Truist and LoanDepot show the trend. Institutions like USAA face an added incentive for attackers because they serve active-duty members, veterans, and their families, whose identities are often treated as “high-trust,” making fraud more lucrative. 

From 2021 to 2024, USAA disclosed several security breaches, including contractor mishandling and, most recently, a 2024 system error that exposed some members’ documents. These USAA data breach incidents reveal that even mature and disciplined institutions are vulnerable. 

This article will break down the timeline of each USAA breach, explain what was exposed, and how you can protect yourself from fraud or identity theft. 

USAA data breach incidents: a pattern of vulnerability

While each USAA data breach happened separately, together they point to recurring exposure risks for some USAA customers. Like many long-standing institutions, USAA operates a complex mix of legacy and modern systems, where change-management errors and third-party access can create gaps if controls aren’t consistently applied. The USAA breaches affected an estimated 74,000 customers, though the exact figures are unclear due to varying state and regulatory disclosures. 

Here’s a quick overview of the data breaches: 

• A system error in 2024 exposed sensitive documents by posting them to the wrong accounts.
  
• USAA members were impacted in 2023 after third-party contractors improperly shared access credentials.
  
• Thousands of USAA members’ details were compromised in 2021 due to the misuse of an online insurance quote tool. 

Because military-affiliated identities carry strong trust signals, they are especially valuable to cybercriminals. A compromised USAA account not only exposes generic information like email addresses or usernames, but also allows the exploitation of high-value data through:

• Targeted scams and social engineering – Threat actors create phishing emails or phone calls that are more convincing to military service members. 
  
• Identity theft – No one is immune to identity theft. Cybercriminals can sell sensitive information, such as Social Security numbers, for others to use in fraudulent schemes.
  
• Using a service member’s financial credibility – Career military personnel may be considered low-risk borrowers, meaning criminals may attempt to use their identities for fraudulent purposes. 

Did USAA get hacked in 2024?

The question on everyone’s mind is Did USAA get hacked? No, the 2024 USAA breach wasn’t the result of an external threat actor. The security breach occurred because of an error during a system update. 

On April 13th, 2024, the system accidentally posted sensitive documents belonging to USAA Property and Casualty (P&C) customers to other member accounts. The error exposed: 

• Names and date of birth
• Driver’s licenses and passports
• Home addresses
• Social Security numbers
• Loan and policy numbers
• Some medical information

The breach impacted approximately 32,276 members, but what’s most frustrating is the timeline of events that occurred. USAA became aware of the issue on April 30th, but didn’t complete their investigation until July 31st. Affected USAA members weren’t formally notified until August 27th, 2024.

The delay means bad actors could have misused the exposed information long before members could begin proactive online security habits. 

Post-breach response: how did USAA do?

The company faced criticism for how it handled the aftermath of the breach. Many were concerned with the extended delay in notifying affected customers. Users posted their concerns on Reddit, expressing their surprise that it took four months to inform members of the breach. 

The company began monitoring the compromised accounts for suspicious activity and worked with the third-party provider to strengthen their security measures. USAA offered those affected the standard 24 months of complimentary Experian IdentityWorks monitoring protection, consisting of credit monitoring, identity theft protection, and fraud protection. 

USAA also pledged to improve its own operations to prevent similar issues from happening in the future. 

Does USAA offer identity theft protection?

USAA moved quickly to provide customer relief with complimentary identity monitoring and enrolling impacted members in Experian IdentityWorks. Beyond that, the company offers ongoing account protection for all of its customers, including: 

• Login safety, such as one-time security codes for sign-in attempts, multifactor authentication, and password verification. 
  
• Dedicated security teams who monitor, investigate, and alert USAA members to any suspicious activity 24/7. They also suggested how members could protect themselves. 
  
• Fraud reporting channels, such as phone calls and texts, the mobile app, and emails from USAA representatives, were available for members to conveniently report incidents.

Even with these strong protections in place, no level of monitoring or proactive measures could have prevented a mishap from an update failure, system-level issues, or internal errors. 

Legal consequences of the 2024 USAA data breach

Maurice Fitzpatrick, a USAA member from Texas, filed a class action lawsuit in September 2024 alleging that the system error exposed the personal information of over 32,000 customers. Documents concerning the allegations in the lawsuit claim: 

• USAA’s negligence made members more vulnerable over time due to the increased delay in sending out official notices.
  
• The company failed to secure the PII of its members, exposing names, addresses, and private medical details. 
  
• The breach led to additional fraud, where the plaintiff experienced an unauthorized $950 charge on his American Express card. 

What happened in the USAA data breach 2023?

Before the most recent USAA data breach, the company experienced a security breach related to activities from a third-party contractor. From December 2022 to May 2023, representatives improperly shared account access credentials, giving unauthorized users access to USAA members’ data. A report from the San Antonio News discussed the USAA data breach 2023 and estimated that 19,000 members were compromised, including 2,700 Texans. 

The breach exposed members’ names, addresses, birthdates, contact numbers, email addresses, bank account numbers, Social Security numbers, and even PINs used for authentication. In response, USAA assisted the contractor in removing authorized access, improving its protocols, and notifying all affected members about the breach. The institution also offered affected members 24 months of Experian IdentityWorks credit monitoring to prevent identity theft. 

Earlier events: the May 2021 incident and USAA data breach settlement

The 2024 and 2023 USAA data breach incidents aren’t the company’s only security breaches. In 2021, threat actors abused USAA’s online insurance quote tool, something meant to save members’ time. Instead, criminals exploited the platform’s lack of rate limiting or CAPTCHA controls. 

Because the tool used member driving records, it would display sensitive information to help users confirm identity. Attackers took previously stolen PII and matched it to active USAA members. They compromised about 22,000 member accounts and exposed: 

• Names and birthdates
• Home addresses
• USAA account information
• Social Security numbers
• Driver’s license numbers

USAA removed the vulnerability from its systems and informed those affected. Yet, the data breach led to legal action, resulting in a class-action settlement. 

USAA data breach settlement details

The court approved a $3.25 million settlement fund for the 2021 USAA data breach, with a final hearing scheduled in May 2025. The court issued an official notice to inform those who are eligible to file a claim for the USAA data breach settlement. 

Please note that the claim deadline of April 7, 2025, has already passed. 

Here’s a quick overview of the settlement details class members need to know. 

Class members can opt out to preserve their right to sue later, but not opting out means an individual can’t bring their own lawsuit against USAA. Even class members who don’t file a claim are bound by the settlement terms. If you have a question about eligibility, you can contact the Settlement Administrator at [email protected].

The administrator will distribute settlement payments from the Net Settlement Fund, after attorney fees, litigation expenses, an award for the lead plaintiff, and other settlement administration costs. 

Why do data breaches matter even if you’re not a USAA member?

It’s easy to dismiss news of a data breach, since they are becoming the new normal. But a USAA data breach adds more stolen information to an expanding cybercriminal ecosystem that could harm anyone. Here’s why it matters: 

• Compromised data isn’t isolated. Sensitive information exposed in one breach can be bundled with other data and sold online. While bad actors may not have compromised your data in a USAA breach, they can still use it to build a complete profile of you. 
• Breaches spread fraud risks. Threat actors can exploit a data breach by using stolen information to create phishing emails or run impersonation scams to target people outside of USAA. 
• Anyone is a potential target. Data brokers and bad actors are constantly verifying and packaging personal data to sell. With each new data breach, your risk level for fraud may rise, whether it impacts you directly or not. 

What’s the takeaway? No one is 100% protected from experiencing security breaches. The best approach is to prepare for them and adopt proactive, protective habits before fraud happens to you. 

What to do if you’re affected by a data breach

The first 24-48 hours emergency kit

Finding out your sensitive information has been exposed can be overwhelming, but you need to make a plan and act quickly. During the first 24-48 hours, you should: 

• Immediately change your passwords, starting with your USAA account, email, and move to other critical platforms, like your banking institution. Always use unique passwords for each online profile. 
  
• Use two-factor authentication wherever you can, especially for online banking and email accounts. 
  
• Freeze your credit immediately by contacting all three credit bureaus to stop threat actors from opening new credit lines in your name. 
  
• Watch your accounts regularly and focus on your bank statements, credit card activity, and USAA account for unusual activity.  

Long-term vigilance and recovery

The first 24-48 hours focus on reducing your fraud risk and limiting your exposure. In the long term, you’ll want to: 

• Review your credit reports every quarter. Check for new accounts or credit inquiries you don’t recognize. 
  
• Set up account alerts through text or email to notify you about odd transactions, login attempts, or changes to your accounts. 
  
• Report fraud immediately; waiting too long only increases your risk of fraud and exposure. You can file a complaint with the FTC at IdentityTheft.gov and inform your bank.   
  
• Rotate your passwords – Never reuse passwords across your online platforms. Rotate and change your passwords regularly to be proactive and protect your privacy. 
  
• Recognize phishing scams – Sometimes, criminals pose as trusted brands and send targeted communications, especially after new breaches. After the recent Walmart data breach, scammers attempted to mimic the retailer’s communications to trick customers into sharing more information. 
  
• Use tools to protect your privacy and add stronger layers of protection. Consider using HaveIBeenPwned, VPNs, disposable emails, and password managers. 

Building enduring resilience

Emergency steps and monitoring are essential, but you should also limit your digital footprint. Having your personal information online increases your vulnerability after a data breach like USAA. That’s why managing your online presence is becoming the standard for privacy. 

Here’s how you can build resilience moving forward: 

• Audit and close unused accounts – Delete your old online profiles, as they are potential entry points for threat actors. 
  
• Reduce your digital footprint – Your online activities leave data online for threat actors to collect and sell. Limit what you share and adjust your privacy settings when using social media and other apps. Most importantly, think twice before handing over personal data, whether for a quick registration or a small discount in exchange for your name, email, and other details. 
  
• Search your name and remove exposed data  – Try searching your name and address online and see what’s visible to the public. You can do it manually by Googling your name, city, and state, or with Onerep’s free data broker scan that checks 230+ privacy-abusing websites to show where your data appears. To limit your exposure, you can manually request removal or use Onerep’s automated service to do it for you.

Why choose Onerep to stay safe

Removing your personal information from data-broker and people-search sites that publish your address, phone number, and family ties not only helps you stay safer online, but also brings peace of mind and reduces spam, scams, and identity-theft risk. You can do this manually, or hand the time-consuming opt-outs to a data-removal service.

So why trust Onerep with removing your exposed data from the public web? 

Automated scans and removals from over 230 data broker sites

• We scan data brokers and people search sites to find where your personal information is exposed.
  
• Once your information is discovered, Onerep starts the removal and doesn’t stop until your data has actually been deleted. We use our own Verified Removal™ process to ensure the information is deleted. 

Ongoing monitoring
We provide ongoing privacy protection by monitoring 200 websites to make sure private info stays off the internet. Onerep’s True Scan™ technology performs instantaneous scans every month, checking for new or reappeared profiles on people-search websites. If they’re found, we repeat the removal.  

Comprehensive removal updates
We keep you informed about the state of your data exposure and removal progress via our visual dashboard and monthly reports sent right to your inbox.

Free trial

If you’re not sure which privacy protection service works best for you, you can enroll in a 5-day trial of Onerep and have free access to our platform and all of its features, just like any of our paying customers. The free trial period will give you a taste of our product and enable you to compare us with other services.

👉 Sign up for Onerep 

FAQs

Was USAA hacked recently?

No, the 2024 USAA data breach didn’t happen because of a cyberattack. It was a system error during an update that exposed 32,000 members’ sensitive information. 

What was exposed in the USAA data breach 2023?

This breach occurred because third-party contractors incorrectly shared access credentials. Their actions exposed 19,000 USAA members’ information, including names, addresses, Social Security numbers, debit and credit cards, PINs, and driver’s licenses.

Is there a class action lawsuit against USAA?

Yes. Maurice Fitzpatrick filed a lawsuit following the 2024 breach. He alleged that the company was negligent and delayed notifying those affected by the incident. 

How much will I get from the USAA data breach settlement?

The finalized settlement relates to the 2021 breach, which established a $3.25 million settlement fund. Individual payouts for class members will come from a Net settlement fund and depend on the number of valid claims and fees awarded by the court. A final approval hearing occurred on May 21st, 2025.