Recently, Ally Bank customers have been reporting a significant increase in the number of incidents involving unauthorized activity on their debit cards. While the company has yet to confirm any type of data breach, an Ally spokesperson acknowledged that the financial industry as a whole has seen an “uptick” in the rate of debit card fraud activity. Based on secondary reports, it appears that the fraudsters are engaging in “card testing,” which is a scheme where thieves make tiny charges on a card to check if it is valid before using the card for larger purchases.

If you believe that your Ally Bank debit card has been compromised, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the reports of Ally Bank debit card fraud, please see our recent piece on the topic here.

What We Know About the Ally Bank Data Breach

News of the Ally bank debit card fraud scheme is still forthcoming, as most reports are anecdotal accounts shared by Ally Bank customers on various social media platforms. However, based on what Ally customers have posted, it appears that hackers have obtained debit card numbers and are using them to make small charges in an attempt to determine whether a card is valid. Once the hacker identifies a valid card, they may then use the card to make additional purchases or sell the card number on the dark web.

For example, one news outlet details the account of a small business owner who woke up one day to find approximately 800 transactions on his merchant account. He contacted the company that handles his merchant card payments, and all charges were refunded. However, the next business day, he awoke to hundreds of missed calls. Thinking he knew what the calls were related to, he checked his merchant account to find that there were 11,000 more transactions, each for $1. Most of these unauthorized charges were made using Ally bank debit cards.

In response to customers’ concerns, an Ally bank spokesperson responded, “Across the board, the financial services industry is experiencing an uptick in debit card fraud activity caused by bad actors … Call centers are experiencing longer-than-usual wait times due to nationwide staffing challenges in combination with an increase in call volumes. This is not unique to Ally." Meanwhile, Ally Bank customers are spending more than an hour on the phone waiting to talk with a representative to address the fraudulent charges.

A more recent industry news report suggests that the cyberattack is what’s called a “BIN attack,” or a Bank Identification Number attack. In a BIN attack, hackers first obtain the first four to six numbers of a customer’s debit card. These numbers are referred to as bank identification numbers, which are the same for all of a bank’s debit cards. Thus, a hacker only needs to have or view any Ally Bank debit card to determine the bank’s bank identification number.

From there, hackers use automated software to plug in random combinations of the remaining card numbers. To do this, hackers typically use an e-commerce platform, charging a small amount to test whether the card number is valid.

More Information About Ally Bank

Founded in 1919, Ally Financial, Inc. is a bank holding company with its headquarters in Detroit, Michigan. Ally Financial’s primary holding is the online bank, Ally Bank. However, the company was originally named GMAC, Inc, but changed its name to Ally Financial in 2010. Ally Financial, through Ally Bank, provides a wide range of financial services to customers, including car loans, online banking, corporate lending, car insurance, mortgage loans, and an electronic trading platform. However, Ally Bank is a strictly online bank, meaning it has no physical branches. Ally Bank employs more than 10,500 people and generates approximately $8 billion in annual revenue.

Could Ally Bank Be Financially Liable for Customer’s Harms?

Yes, there are a few ways that customers of Ally Bank can go about recouping any losses they suffered related to debit card fraud. Perhaps the easiest way is to contact Ally Bank, asking the company to refund any charges. Given the rate of debit card fraud reported in recent weeks, it would appear that Ally Bank is well aware of the issue and should be prepared to address customers’ complaints.

In addition, Ally Bank may be liable to customers through a data breach lawsuit. Under the U.S. data breach laws, consumers whose personal information is exposed in a data breach may have legal recourse against a company they trusted with their information. Most data breach lawsuits are based on the legal concept of negligence, meaning a victim of fraud can prove their case by showing that the company was negligent in storing or protecting their information.

There are several ways a company might act negligently leading up to a data breach. For example, the following are some of the most common examples of company negligence that may result in an unauthorized party obtaining sensitive consumer information:

• A company fails to employ an adequate data security system or relies on an outdated system;

• A company mistakenly transmits consumer information to an unauthorized party;

• A company employee fails to follow the proper procedures when handling consumer data; or

• An employee responds to a phishing attack, either by clicking on a link or providing sensitive information to an unauthorized party.

Of course, given the complexities of companies’ information technology systems these days, there are many other ways a company may have been negligent. Those with questions about a company’s liability following a data breach or cyberattack should reach out to a dedicated data breach lawyer for immediate assistance.