USAA settles $3.25 million data breach case, faces fresh allegations of negligence

USAA, a leading insurance provider, has agreed to a $3.25 million settlement to resolve a class action lawsuit stemming from a 2021 data breach, though the company denies any wrongdoing. The settlement addresses allegations that the company failed to protect sensitive motor vehicle record information in its quoting system. The breach reportedly allowed unauthorized access to identifying details, including driver’s license numbers, enabling a third party to create USAA memberships fraudulently.

Initially filed by Vincent Dolan in July 2021, the lawsuit gained momentum as more than 22,000 individuals joined the class action. Dolan discovered the breach only after receiving a notification from USAA about the incident. As the lead plaintiff, Dolan is expected to receive the largest payout of up to $10,000, while other affected individuals will likely receive about $100 each.

Although a judge sealed the settlement agreement, My San Antonio (MySA) obtained a proposed version that provides insight into the details of the case. Documents allege that USAA’s insufficient safeguards resulted in the unauthorized use of Dolan’s personal information.

This settlement marks only one of USAA’s recent challenges related to data security. In a separate incident earlier this year, the insurer reported a data breach affecting 32,000 policyholders due to an internal system error. According to a notice sent to customers in August 2024, the breach occurred on April 30, 2024, during an update to USAA’s document delivery system. The error caused personal documents intended for one member to be mistakenly posted to another member’s online account.

USAA claims it acted swiftly to address the issue, removing the documents and conducting an investigation that concluded on July 31, 2024. However, criticism has arisen over the delay in notifying affected individuals. Customers were informed in August, several months after the breach was discovered.

The April breach has led to a proposed class action lawsuit, with plaintiffs alleging negligence on USAA’s part. A 62-page complaint claims the exposed information included highly sensitive data such as names, Social Security numbers, driver’s license details, and medical information. The plaintiffs argue that the delayed notification left them vulnerable to identity theft and financial harm.

One plaintiff reported that his bank detected his data on the dark web, resulting in $950 in fraudulent credit card charges in August 2024. He attributes these losses to the USAA breach and has joined the class action to hold the insurer accountable.