Farmers Insurance Data Breach Results in Class Action Lawsuit Against Salesforce

Lawsuit claims Farmers Group waited nearly three months to alert 1.1 million customers about the Salesforce data breach, which left customers at risk of identity theft and financial fraud.

A Florida man has filed a class action lawsuit on behalf of Farmers Insurance customers, claiming that his and others’ data was compromised in a massive data breach involving the third-party customer management platform, Salesforce.

The complaint (PDF) was brought by Malcolm Scott in the U.S. District Court for the Northern District of California on August 27, naming Salesforce Inc. and various other unnamed parties as the defendants.

Salesforce is a cloud-based software-as-a-service (SaaS) company, which helps businesses manage their customer data, sales processes, marketing campaigns and customer service operations. The company suffered a data breach on May 30, which may have impacted a number of Farmers’ Insurance customers according to a subsequent notice (PDF) issued by the insurance carrier.

Data breaches occur when hackers gain access to individuals’ private online information, often including names, logins, passwords, social security numbers and other sensitive data that can be used to take over accounts or impersonate people.

More than 1 billion online accounts in America were impacted by data breaches last year, some of which resulted in Change Healthcare lawsuits, AT&T data breach lawsuits, Ticketmaster data breach lawsuits and others, concerning the dangers of customers’ personal information being leaked online, and exposing them to risks of identity theft, financial fraud and other negative consequences.

According to his lawsuit, Scott contends that the Salesforce breach exposed highly sensitive personal information, including names, addresses, dates of birth, driver’s license numbers and partial Social Security numbers. The complaint indicates that this level of detail leaves affected customers vulnerable to fraud, since the information is often used to verify identity in financial and government transactions.

In addition to the kinds of information exposed, the lawsuit also faults Farmers for detecting suspicious activity on May 30, but not sending written notices to customers until August 22, nearly three months later. According to Scott, this delay left consumers unable to take immediate protective measures, such as monitoring credit or freezing accounts, to reduce the risk of fraud.

Scott further alleges that the breach itself was enabled by compromised OAuth tokens and phishing attacks that relied on fake Salesforce applications to steal user login credentials. By exploiting those vulnerabilities, unauthorized actors allegedly gained access to Salesforce’s systems, exposing data belonging to Farmers Insurance customers and potentially many others.

Beyond the immediate breach mechanics, the complaint frames the case as a “hub-and-spoke” breach, in which Salesforce acts as the central hub providing cloud services to client companies—the spokes—such as Farmers. Scott contends that by breaching Salesforce, attackers potentially gained access not only to Farmers’ customer data but also to data belonging to other businesses that rely on Salesforce for storage and customer management.

In this way, the case echoes lawsuits filed last year against data cloud provider Snowflake, which was implicated in both the massive Ticketmaster and AT&T data breaches.

Because of the model, Scott argues Salesforce’s problem could be far larger. While Farmers has acknowledged that roughly 1.1 million of its customers were impacted, the complaint suggests the true scope may extend much further. Since Salesforce provides cloud-based data management for hundreds of companies, Scott argues that millions of additional consumers whose information is stored with Salesforce could ultimately be affected.

“Defendants’ failures to ensure that their servers and systems were adequately secure fell far short of their obligations and Plaintiff’s and Class members’ reasonable expectations for data privacy jeopardized the security of Plaintiff’s and Class member’s Personal Information, and exposed Plaintiff and Class members to fraud and identity theft or the serious risk of fraud and identity theft.”

— Malcolm Scott v. Salesforce Inc. et al

The lawsuit emphasizes the heightened risks posed by the exposure of Social Security and driver’s license numbers, which are considered especially valuable on the black market. A Social Security number can be used to open credit lines, file fraudulent tax returns, or apply for government benefits, while driver’s license numbers may sell for hundreds of dollars online. Scott warns that victims may now face years of identity theft threats as a result of the breach.

Scott raises allegations against all defendants of negligence, negligence per se, breach of implied contract, breach of fiduciary duty, invasion of privacy (intrusion upon seclusion), unjust enrichment, Violations of the California Unfair Competition Law, and Violations of the Driver’s Privacy Protection Act.

He is seeking certification of his complaint for class action status, as well as actual and statutory damages, punitive damages and monetary damages.

Sign up for more legal news that could affect you or your family.