Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Hackers have gained access to the personal information of the majority of Allianz Life’s 1.4mn US customers, the insurer said in a statement, as well as data on some employees.
“On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM [customer relationship management] system used by Allianz Life Insurance Company of North America,” the Minneapolis-based company said in a statement. “We took immediate action to contain and mitigate the issue and notified the FBI.”
Allianz Life, a subsidiary of Munich-based insurance conglomerate Allianz, said that the hacker, whose identity it did not disclose, had used a “social engineering technique” to obtain the data.
Ransomware attacks targeting companies through their third-party vendors or suppliers have become increasingly common, according to cyber security analysts. Many of the incidents involve hackers manipulating employees using so-called social engineering, in which cyber criminals dupe staff into changing passwords and resetting authentication processes in order to gain access to private data.
About 30 per cent of data breaches involved third parties, US telecoms company Verizon found in its 2025 report, compared with 15 per cent the previous year.
The personally identifiable information accessed in hacks of CRM systems is often limited to data such as names, addresses and dates of birth, rather than more sensitive financial data.
Allianz has more than 125mn customers globally. Through its Allianz Commercial arm, the company offers insurance against cyber attacks and advises companies on minimising their exposure to the threat.
Allianz Life said its investigation into the incident was ongoing, and that so far it had found “no evidence” that its internal system or “other company systems” had been breached.
The company first disclosed the breach as part of a mandatory filing with the attorney-general in Maine, and said that it would notify customers about a week later, on August 1.
The Maine filing specified that customers would be given identity theft protection services through Kroll, which provides identity theft restoration and monitoring services.
