Allianz Life's CRM Was Hacked. 1.4 Million Customers' SSNs Were Exposed. Allianz's Own Systems Were Never Touched.

-
Case Study Third-Party Risk
May 2026  ·  8 min read

On July 16, 2025, attackers used a phone call to social engineer access to a third-party CRM system used by Allianz Life. They never touched Allianz's internal networks. They didn't need to. The vendor had the data. The vendor had the access. And the vendor was the open door.

Allianz Life Insurance Company of North America has 1.4 million customers. On July 16, 2025, threat actors accessed the personal data of the majority of those customers — names, addresses, Social Security numbers, dates of birth, policy numbers, and financial information.

Allianz's internal systems were never breached. Its policy administration platform remained secure throughout the entire incident. No attacker ever penetrated Allianz Life's own network infrastructure.

They didn't need to. Allianz used a third-party cloud-based CRM system to manage customer relationships. The attacker called the vendor, posed as IT support, social engineered access to that CRM, and walked out with data on 1.4 million insurance customers. The breach wasn't in Allianz's house. It was in the vendor's house. The data was the same either way.

1.4M customers affected — majority of Allianz Life's entire US customer base exposed via third-party CRM Allianz Life / Maine AG filing, July 2025
0 Allianz internal systems breached — the attack never touched Allianz's own network. It didn't need to. Allianz Life statement, July 2025
48% of all 2025–2026 breaches involved a third party — up 60% year over year per the 2026 Verizon DBIR Verizon DBIR 2026
The data exposed in the Allianz breach — names, Social Security numbers, dates of birth, addresses, phone numbers, policy numbers, and financial data — is precisely the combination attackers use to commit identity fraud, open fraudulent accounts, and file false insurance claims. Allianz offered 24 months of credit monitoring to affected customers. Class action investigations were opened within days of disclosure.

How the attack actually worked — the vendor chain

The Allianz breach is a textbook illustration of the third-party risk problem the 2026 DBIR documented. Understanding exactly how it worked reveals why your own business faces the same exposure even if your defenses are solid.

The Attack Chain — Allianz Life, July 16 2025
Attacker identifies Allianz Life's CRM vendor. Third-party vendors are often publicly identifiable through job postings, LinkedIn profiles, and vendor directories. Allianz used a cloud-based Salesforce CRM platform. This information was publicly available.
Attacker calls the vendor posing as IT support. The same ShinyHunters/Scattered Spider vishing playbook: impersonate IT, create urgency, social engineer credentials or MFA approval from a vendor employee who has access to Allianz's CRM data. Allianz has no visibility into this call.
Attacker gains access to the cloud CRM containing Allianz customer data. The vendor's access becomes the attacker's access. The breach is in the vendor's environment — not Allianz's. Allianz's firewalls, endpoint detection, and internal controls are all irrelevant. They're defending the wrong perimeter.
Attacker exfiltrates data on 1.4 million customers. Names, SSNs, dates of birth, addresses, policy numbers, financial data. The leaked files contain approximately 2.8 million Salesforce records. Discovered the following day, July 17.
Allianz notifies the FBI, begins containment, starts notifying 1.4 million customers. Class action investigations open. 24 months credit monitoring offered. Maine AG notified. Allianz's own networks remain secure throughout. It made no difference.

The same coordinated campaign hit dozens of other major organizations through their Salesforce CRM vendors:

Allianz Life
Chanel
LVMH brands
Adidas
Google Ads SMB
Snowflake
Cushman & Wakefield
+ many others
Every one of these organizations had their own security teams, their own defenses, their own controls. None of those defenses protected their data — because the data wasn't behind their defenses. It was behind their vendor's defenses. And the attacker targeted the vendor, not them.

Why this is your problem even if you've never heard of Salesforce

Replace "Salesforce" with the name of any tool your business uses that a vendor manages on your behalf — your accounting platform, your email marketing tool, your scheduling software, your payment processor, your HR system, your customer database. Every one of those tools is a third-party managed system that holds your data, has its own staff who can be socially engineered, and represents an entry point into your customer information that bypasses every defense you've built.

The 2026 Verizon DBIR documented that third-party breaches now account for 48% of all incidents — up 60% in one year. Your perimeter defenses protect roughly half of your actual attack surface. The other half lives in the vendor stack.

The five things every SMB should do about vendor risk right now

1

Know which vendors hold your customer data

Inventory first

Most SMBs cannot answer this completely. The CRM holds customer contact data. The email platform holds communication history. The payment processor holds financial data. The accounting tool holds everything. Each vendor is a potential Allianz scenario — a breach in their environment exposes data that belongs to your customers but lives in their systems.

Action this week List every third-party tool your business uses and identify what customer or employee data each one holds. This inventory is the foundation of your vendor risk management. You cannot manage exposure you haven't mapped.
2

Ask your vendors one specific security question

Vendor audit

You don't need a formal third-party risk management program. You need one question: "What security controls do you have in place to prevent social engineering attacks against your staff who have access to our data?" The answer tells you everything. A vendor with a clear answer is a different risk than one who says "we follow industry best practices."

What a good answer looks like Phishing-resistant MFA for all staff with customer data access. Mandatory security awareness training including voice phishing scenarios. Access logging and anomaly detection on customer data. A documented incident response procedure.
3

Apply the principle of least privilege to every vendor

Access control

If a vendor only needs to send email on your behalf, they shouldn't have access to your full customer database. The Allianz CRM vendor had access to data on 1.4 million customers — the attacker's access was bounded by what the vendor was permitted to see. Minimum necessary access limits the blast radius when a vendor's environment is compromised.

Practical application Review the permissions each vendor has in your systems. If a tool has broader access than its function requires, restrict it. Least privilege is a configuration change, not a product purchase.
4

Minimize the data you give vendors in the first place

Data minimization

Many SMBs give vendors more data than they need because it's easier to export everything than to filter. Every field you give a vendor that they don't need is a field that can be stolen in a third-party breach.

The question to ask For each vendor that has customer data: does this vendor actually need every field we've given them? Does the email marketing platform need customer SSNs? Does the scheduling tool need home addresses? Removing unnecessary fields from vendor access is the simplest form of third-party risk reduction.
5

Know your legal exposure when a vendor gets breached

Legal liability

The Allianz customers whose SSNs were exposed had a relationship with Allianz — not the vendor. The obligation to protect that data and notify affected individuals belongs to Allianz. The same principle applies to your business. When a vendor who holds your customer data is breached, you may have mandatory notification obligations — even if your own systems were never touched.

Know before you need to know For each vendor holding customer PII, confirm whether a breach of their systems triggers notification obligations for your business. In most US states, the answer is yes if the data includes names combined with SSNs, financial account numbers, or health information.
The Allianz breach was discovered within 24 hours — unusually fast. Their response was swift: FBI notified, system isolated, customers notified. And yet 1.4 million people still had their SSNs exposed. Fast detection and response matters. Not having the exposure in the first place matters more. The five actions above reduce the exposure before the clock starts.

The vendor risk question your business hasn't asked yet

Your security is only as strong as your weakest vendor. That's the documented reality of 48% of all 2025–2026 breaches. Allianz had strong internal controls. They didn't protect 1.4 million customers because the data wasn't behind their controls. It was behind a vendor's controls, and the vendor had a gap.

The question for every SMB owner: if your most important vendor was breached tonight using the same vishing call that hit Allianz, Cushman & Wakefield, and 100+ other organizations — what data would be exposed? Whose data is it? What are your notification obligations? And have you ever asked your vendor how they protect against a phone call?

The Veriti Spottr CyberScore's Business Profile component captures your vendor relationships and third-party access as part of your overall risk assessment. The Security Posture survey covers your third-party risk management practices directly. A business that has mapped its vendor data exposure, applied least privilege, and confirmed vendor security controls will score materially higher — and face materially lower risk — than one that hasn't. The Allianz breach shows what it looks like when it isn't managed.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

Know your vendor risk before your vendor gets the call. Veriti Spottr's beta is free.

Get your CyberScore →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more