400M Records Stolen in 2023 State Farm Data Breach, Class Action Lawsuit Says

New to ClassAction.org? Read our Newswire Disclaimer

State Farm faces a proposed class action lawsuit after 400 million records were reportedly accessed and stolen by hackers during an August 2023 data breach. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 33-page lawsuit alleges State Farm lacked adequate systems and procedures to properly safeguard consumers’ highly sensitive personal data, allowing hackers to use ransomware to steal roughly 400 million records from the insurer’s systems around August 28 of this year. The filing contends that the incident could have been prevented had State Farm properly vetted and monitored its systems. 

“Had State Farm seriously intended to protect the consumer Personal Information in its possession, it could have done so,” the suit contests, noting that the major insurance company is “well aware of the risk posed by phishing schemes.” 

The case, initially filed in Illinois Circuit Court on September 13, says that State Farm has yet to notify victims that their data “may be in the hands of cyber criminals.” According to the suit, the information State Farm collects in its regular course of business includes consumers’ names, mailing and billing addresses, phone numbers, email addresses, Social Security numbers, dates of birth, driver’s license numbers, bank account and credit card numbers, health insurance data, demographic details, billing and claims data, and much more. 

“Trust and confidence are key components of Plaintiffs’ and class members’ relationship with State Farm,” the complaint reads. “Without it, Plaintiffs and class members would not have provided State Farm with, or allowed State Farm to collect, their most sensitive information in the first place.” 

Per the lawsuit, two ransomware groups have claimed responsibility for the State Farm data breach, Ransomed.vc and the Everest Ransomware Group. The case states that news outlets who monitor developments on the dark web have reported that the two groups are “frequent collaborators, with overlapping leadership.” 

According to the suit, Ransomed and Everest posted on August 29 about how they successfully infiltrated State Farm’s data storage security, claiming to have come away with “complete customer insurance details, containing a total of 400 million records.” The case says that the groups, whose resumé reportedly includes data breaches against Transunion, AT&T, NASA and other corporations and government entities, gave State Farm a deadline of September 5, 2023 before they would sell the stolen information to third parties. 

“In many cases, Everest and Ransomed sell the stolen data to anyone willing to pay for access,” the lawsuit shares. “In others, they simply make the data available online for anyone to download and view.” 

Because the State Farm data breach was executed by known ransomware groups, proposed class members’ information is “irrefutably in the possession of known bad actors,” the suit stresses. The complaint adds that although the exact method by which Ransomed and Everest breached State Farm’s systems is unknown, past attacks by the groups have generally involved “phishing” attempts, whereby a malicious email is sent to an employee of a target company. 

“In such a phishing scheme, the data breach occurs when the employee clicks a link in the phishing email, executing malicious software which allows the hacker to access the entity’s computer systems and databases,” the case explains. 

The lawsuit relays that State Farm data breach victims must now live with a substantially increased risk of identity theft and fraud. 

The case looks to cover all United States residents whose personal information was compromised as a result of the data breach. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.