Insurance giant Allianz subsidiary Allianz Life Insurance Company of North America is notifying roughly 1.5 million people that their personal information was stolen in a July data breach.
The incident occurred on July 16 and involved a third-party cloud-based customer relationship management (CRM) system used by Allianz Life, the company told SecurityWeek in July.
Only Allianz Life in the US was impacted, the company said, adding that most of its roughly 1.4 million customers were likely affected, without sharing an exact number.
This week, however, the company notified the Maine Attorney General’s Office that the breach affects the data of 1,497,036 “Allianz Life customers, financial professionals, and select Allianz Life employees”.
The stolen personal information includes names, addresses, dates of birth, and Social Security numbers, the insurer notes in the notification letter sent to the affected people.
Allianz Life is providing the affected individuals with two years of free identity theft restoration and credit monitoring services.
The company also said it has contained and mitigated the issue, and that the incident was limited to the third-party CRM, as none of its systems were accessed.
While Allianz Life did not share details on the compromised CRM, the attack was attributed to the infamous Scattered Spider cybercrime group, which conducted a large-scale campaign targeting the Salesforce instances of major companies.
Adidas, Cisco, Dior, Louis Vuitton, Google, Air France/KLM, and Workday are also believed to have been targeted in the campaign.
Scattered Spider and its recent partner-in-crime ShinyHunters, a hacking group specializing in extortion, announced in mid-September their retirement, but cybersecurity specialists remain skeptical of their disappearance from the threat landscape.
Related: Canadian Airline WestJet Says Hackers Stole Customer Data
Related: Automotive Titan Stellantis Discloses Data Breach
Related: Salesforce AI Hack Enabled CRM Data Theft
Related: 33 Attorneys General Send Letter to FTC on Commercial Surveillance Rules
