Third-Party Breaches: Lessons from Allianz Life and Social Engineering

In July 2025, Allianz Life Insurance Company of North America confirmed a breach affecting a “majority” of its 1.4 million customers, financial professionals, and employees. The scale is bad enough, but the method is worse. Hackers didn’t touch Allianz’s systems. They went in through the side door: a cloud customer relationship management vendor, tricking employees through social engineering. The takeaway? Your weakest link might not be your internal systems — it’s the third party you trust most.

And Allianz wasn’t alone. A coordinated campaign targeting Salesforce CRM systems has hit some of the world’s biggest brands, exposing at least 2.55 million records and highlighting a scary uptrend in third-party risk incidents. 

Bottom line: It’s more important than ever for financial institutions (FIs) to ensure their TPRM programs are strong, and their vendors are active partners in data security, privacy, and safety. 

Related: Third-Party Provider Data Breaches: 3 Lessons Learned

The anatomy of a third-party breach

On July 16, 2025, attackers posed as IT helpdesk staff and used social engineering to trick an Allianz employee into granting access to the company’s Salesforce CRM system. With insider-level access, the attacker leveraged Salesforce’s Data Loader tool to perform bulk data transfers, stealing names, addresses, phone numbers, dates of birth, Social Security numbers, and other personally identifiable information (PII). Allianz detected the breach within 24 hours and alerted the FBI, but the data was already exfiltrated. Class actions are now being filed.

The attack is reportedly linked to the Shiny Hunters extortion group, which has been using social engineering attacks (specifically “vishing” or voice phishing) to steal data from companies that use Salesforce CRM services, including Google Ads SMB, Chanel, LVMH Brands, Adidas, and others.

If top CRMs with robust security teams, advanced threat detection, regular testing, and certifications like SOC 2 and ISO 27001 can be vulnerable to phone-based attacks, your FI and vendors could be at risk, as well.

Related: Emerging Risks in Banking 2025

A rising tide of third-party attacks

The Salesforce attacks are part of an alarming trend in third-party incidents that have accelerated throughout 2024 and 2025:

• 35.5% of all breaches in 2024 were third-party related.
• 41.4% of ransomware attacks now originate through third parties.
• Major insurance companies, including Aflac, Erie Insurance, and Philadelphia Indemnity Insurance, have all fallen victim to similar attacks.
• The average cost of a data breach in the financial sector reached $6.08 million in 2024. 

These stats underscore a fundamental shift in the threat landscape. Third-party vendors can act as easy doors to unlock sensitive data across multiple organizations — and they’re being targeted more aggressively than ever.

Why are financial services prime targets for third-party attacks?

While all industries are susceptible to malicious third-party activities, the insurance and financial services sectors face specific challenges that make TPRM especially critical:

• Expansive vendor relationships: The Ncontracts 2025 TPRM Survey Report highlights that many FIs rely on dozens or even hundreds of third-party vendors, from CRMs to payment systems, creating multiple points of potential access.
• High-value data: CRM systems aren’t the only risk; any vendor handling sensitive data can be a target. Consider your FI’s core banking, payment processors, loan origination, document management, mortgage servicing, and wealth management platforms, all of which store critical personal, financial, and transactional information.
• Regulatory scrutiny: Breaches can trigger substantial fines, legal liability, and compliance obligations under the E.U.’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other industry-specific regulations.
• Customer trust: In an industry built on trust, a data breach can lead to significant customer and reputation loss. For some small and struggling FIs, the operational strain and compounding effects of a data breach can be even more impactful.  

Related: How to Keep Up with State Regulations

What is social engineering? The rise of human-focused attacks

The Allianz breach underscores a critical vulnerability every organization has: people. Attackers didn’t exploit software flaws — they exploited human behavior. In other words, investing heavily in technology can’t replace employee training and a strong risk culture.  

Social engineering attacks are getting more sophisticated. Threat actors now mine social media and public sources for insider information, craft personas that mimic legitimate business processes, exploit workplace pressure and urgency, and target new hires or customer-facing employees who are more likely to respond, to name a few tactics.  

The Allianz data breach is an example of a “vishing” incident, in which attackers used phone calls to impersonate IT staff, tricking employees into granting access to a cloud-based CRM system — bypassing technical defenses entirely and exposing sensitive customer and employee data. 

Related: Cybersecurity Breaches: How to Protect Your FI 

What's the cost of a third-party data breach?

The financial impact of third-party breaches extends far beyond immediate incident response costs: 

• Direct costs: Average breach costs in financial services now exceed $6 million, including forensic investigations, legal fees, and notification expenses.
• Lost business: Stock prices of publicly traded firms typically drop 7.5% following a breach announcement.
• Operational disruption: Investigation and remediation can disrupt operations. A 2024 IBM report found that lost business, including downtime, lost customers, and reputational damage, was a primary driver of breach costs.  
• Long-term monitoring: While credit monitoring and identity theft protection are not federal regulatory requirements, some states do require it. Allianz is offering 24 months of protection following its data breach.  
• Legal liability: Class action lawsuits, like the one filed against Allianz on July 31, 2025, are not uncommon following a data breach, though the amounts vary widely. Equifax’s settlement over its 2017 breach remains the largest in U.S. history at $700 million.  

Related: How to Reduce the Cost of a Data Security Breach at a Bank or Credit Union 

How to build a robust TPRM program

The Allianz breach and the broader wave of Salesforce-related incidents serve as a wake-up call that your organization's security is only as strong as your weakest third-party link. Here are some concrete steps your FI can take to reduce risk, protect sensitive data, and prepare for inevitable social engineering attempts. 

• Ensure employee awareness and social engineering training. Provide regular training to employees on phishing, vishing, and other social engineering tactics. Focus role-specific drills on customer-facing staff and new hires, who are common targets. Conduct simulated attacks to assess employee readiness and reinforce best practices.
• Conduct thorough vendor due diligence. Evaluate your vendors based on the sensitivity of the data they handle, the criticality of their services, and their overall security maturity. Vendors — especially critical vendors — should have strong cybersecurity policies, SOC 2 or ISO 27001 certifications, and conduct regular penetration testing. Make time to investigate any past security incidents and assess how effectively the vendor responded. If the vendor responded poorly, then how will it respond tomorrow if an incident occurs?  
• Implement strong contract protections. Define your vendor responsibilities for data protection, monitoring, and incident reporting in writing. Include right-to-audit clauses that allow periodic review of the vendor’s security controls. Ensure contracts specify how data will be returned or securely destroyed if the relationship ends.
• Layer access and monitoring. When it comes to sensitive systems, too many cooks in the kitchen can lead to mistakes. Limit vendor access to only what’s necessary, and continuously monitor activity to detect unusual patterns early. Where possible, isolate third-party systems from critical internal infrastructure to limit potential impacts.
• Confirm incident response planning. Include vendors in your incident response plan by establishing clear communication channels and escalation protocols. Have a process in place for rapidly revoking vendor access if they are compromised. Ensure timely notification to regulators, customers, and internal stakeholders when incidents occur.
• Practice ongoing vendor risk management. Regularly update vendor risk ratings based on new threats, changes in services, or detected vulnerabilities. Schedule periodic reviews of vendor security posture, including penetration test results and compliance certifications. Maintain a centralized dashboard to track all vendor risk scores, incidents, and remediation progress.  
• Emphasize a security-first culture. Your vendors’ risk is your FI’s risk. Encourage vendors to adopt best practices, share threat intelligence, and participate in joint tabletop exercises. Stay proactive and assume that a vendor breach is possible at any point, then proactively build resilience into your processes. 

The Allianz Life and Salesforce incidents prove that sophisticated attackers will exploit any weak link — often a human one — to gain access. FIs that proactively strengthen third-party risk management, enforce contractual protections, train employees, and continuously monitor vendor activity will be far better positioned to mitigate the impact of a breach.  

Need to perform vendor due diligence, but can’t access the necessary documentation? Check out our guide for steps to take when a vendor is unresponsive.