USAA Data Breaches Expose Sensitive Military Member Data in Three Separate Incidents (2021–2024)
Between 2021 and 2024, USAA one of the largest financial institutions serving active-duty military, veterans, and their families disclosed three major data breaches, each stemming from different vulnerabilities. The incidents compromised the personal and financial information of over 73,000 members, with risks amplified by the high-value nature of military identities in fraud schemes.
2021: Exploited Insurance Quote Tool
In May 2021, attackers leveraged a flaw in USAA’s online insurance quote tool, which lacked rate limiting and CAPTCHA controls. By cycling through stolen personal data from other breaches, criminals matched records to active USAA accounts, exposing driver’s license numbers and other PII for 22,383 members (12,627 in New York alone). The breach led to a $3.25 million class-action settlement, with affected members eligible for payouts averaging $143 per claim.
2022–2023: Third-Party Contractor Credential Abuse
From December 20, 2022, to May 18, 2023, call center representatives at a USAA third-party vendor shared login credentials with unauthorized individuals, granting access to member accounts. The breach exposed names, addresses, partial Social Security numbers, bank details, PINs, and debit/credit card numbers for ~19,000 members. A smaller, unrelated incident in August 2023 involved another contractor mishandling data, though the number of affected members was undisclosed. USAA offered two years of free Experian IdentityWorks monitoring to victims, who were not notified until June 26, 2023 over a month after the breach window closed.
2024: Internal System Error Leaks Documents
On April 13, 2024, a routine system update misconfigured USAA’s document delivery platform, causing 32,276 members’ files including Social Security numbers, medical records, and insurance policy details to be visible to other users. USAA detected the error on April 30 but did not notify affected members until August 27, sparking a lawsuit alleging negligence and delayed disclosure. While no fraud was reported, the exposed data posed significant identity theft risks.
Legal and Security Fallout
- The 2021 breach resulted in the $3.25 million settlement, with claims still open.
- The 2024 incident prompted a lawsuit over delayed notifications.
- USAA has not attributed any breach to a nation-state actor or organized hacking group; instead, failures ranged from design flaws to third-party insider threats and internal errors.
- Affected members received free Experian IdentityWorks monitoring, though experts note this service is not the most robust option for identity protection.
Impact on Military Members
USAA’s breaches are particularly concerning due to its military-affiliated customer base, whose data carries higher trust signals in financial systems. Stolen information such as Social Security numbers, bank details, and medical records enables fraudsters to open fraudulent accounts, file false benefits claims, or conduct targeted phishing attacks. The incidents underscore vulnerabilities in third-party vendor oversight, system design, and change management, none of which required sophisticated cyberattacks to exploit.
Source: https://www.security.org/identity-theft/breach/usaa/
USAA cybersecurity rating report: https://www.rankiteo.com/company/usaa
"id": "USA1781641808",
"linkid": "usaa",
"type": "Breach",
"date": "5/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Over 73,000 members',
'industry': 'Banking and Insurance',
'location': 'United States',
'name': 'USAA',
'size': 'Large',
'type': 'Financial Institution'}],
'attack_vector': ['Exploited Software Flaw',
'Credential Abuse',
'Internal System Error'],
'customer_advisories': 'Affected members notified via mail and offered free '
'identity monitoring',
'data_breach': {'file_types_exposed': ['Documents (e.g., insurance policies, '
'medical records)'],
'number_of_records_exposed': ['22,383 (2021)',
'~19,000 (2022–2023)',
'32,276 (2024)'],
'personally_identifiable_information': ['Names',
'Addresses',
'Social Security '
'numbers',
'Driver’s license '
'numbers'],
'sensitivity_of_data': 'High (Social Security numbers, bank '
'details, medical records)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Medical Records',
'Insurance Policy Details']},
'date_detected': ['2021-05', '2023-05-18', '2024-04-30'],
'date_publicly_disclosed': ['2021', '2023-06-26', '2024-08-27'],
'description': 'Between 2021 and 2024, USAA disclosed three major data '
'breaches stemming from different vulnerabilities, '
'compromising the personal and financial information of over '
'73,000 members, including active-duty military, veterans, and '
'their families. The breaches involved exploited flaws in an '
'insurance quote tool, third-party contractor credential '
'abuse, and an internal system error.',
'impact': {'brand_reputation_impact': 'Significant, particularly due to the '
'military-affiliated customer base',
'data_compromised': 'Personal and financial information, including '
'driver’s license numbers, Social Security '
'numbers, bank details, PINs, debit/credit '
'card numbers, medical records, and insurance '
'policy details',
'financial_loss': '$3.25 million (class-action settlement)',
'identity_theft_risk': 'High, due to exposure of Social Security '
'numbers, bank details, and medical records',
'legal_liabilities': ['Class-action lawsuit ($3.25M settlement)',
'Lawsuit over delayed notifications (2024)'],
'operational_impact': 'Delayed member notifications, legal '
'actions, and regulatory scrutiny',
'payment_information_risk': 'High, due to exposure of debit/credit '
'card numbers and PINs',
'systems_affected': ['Online insurance quote tool',
'Call center systems',
'Document delivery platform']},
'investigation_status': 'Ongoing (legal actions pending)',
'lessons_learned': 'Vulnerabilities in third-party vendor oversight, system '
'design, and change management can lead to significant '
'breaches without sophisticated cyberattacks. '
'Military-affiliated data requires heightened protection '
'due to its high value in fraud schemes.',
'motivation': ['Financial Gain', 'Fraud', 'Identity Theft'],
'post_incident_analysis': {'corrective_actions': ['System updates',
'Stricter vendor oversight',
'Improved notification '
'protocols'],
'root_causes': ['Design flaws in online tools',
'Third-party credential abuse',
'Internal system '
'misconfiguration']},
'recommendations': ['Implement stricter rate limiting and CAPTCHA controls',
'Enforce multi-factor authentication for third-party '
'vendors',
'Improve system update and configuration management',
'Enhance monitoring and notification protocols for '
'breaches'],
'references': [{'source': 'Class-action settlement details'},
{'source': 'USAA breach notifications'}],
'regulatory_compliance': {'legal_actions': ['Class-action lawsuit ($3.25M '
'settlement)',
'Lawsuit over delayed '
'notifications (2024)']},
'response': {'communication_strategy': 'Delayed member notifications (e.g., '
'2024 breach notified in August)',
'remediation_measures': ['Offered free identity monitoring',
'System updates and reconfigurations'],
'third_party_assistance': 'Experian IdentityWorks monitoring'},
'title': 'USAA Data Breaches Expose Sensitive Military Member Data in Three '
'Separate Incidents (2021–2024)',
'type': ['Data Breach', 'Insider Threat', 'System Misconfiguration'],
'vulnerability_exploited': ['Lack of rate limiting and CAPTCHA controls',
'Shared login credentials',
'Misconfigured document delivery platform']}