Remix.run Logo
jmkni 5 days ago

> “On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life,” referring to a customer relationship management (CRM) database containing information on its customers.

So who the hell was the "third-party, cloud-based CRM system"?

ofjcihen 5 days ago | parent | next [-]

Another article mentioned Salesforce which has a knack for being poorly secured on the data owners side.

I’ve got another reply here with details but suffice it to say misconfigured Salesforce tenants are all over the internet.

eclipticplane 5 days ago | parent [-]

Even if SFDC is configured correctly, any sufficiently large or old instance of SFDC may have dozens of other systems plugged into it. Many of which get default access to everything because SFDC security and permission configuration is so byzantine.

ofjcihen 5 days ago | parent [-]

Absolutely and when throw in the ridiculous way SF does permissions AND their lack of tools for access visibility it’s no wonder these old systems stick around.

rr808 5 days ago | parent | prev | next [-]

Google published this about Salesforce a few weeks back. https://cloud.google.com/blog/topics/threat-intelligence/voi...

milesskorpen 5 days ago | parent | prev | next [-]

Does it matter? Wasn't a technical breach of their systems, but instead social engineering.

poemxo 5 days ago | parent | next [-]

If a cloud-based system doesn't support technologies that deter social engineering, it's still a problem. Some login portals to check your credit history don't even support 2FA.

So I think it matters, I think access systems should be designed with a wider set of human behaviors in mind, and there should be technical hurdles to leaking a majority of customers' personal information.

politelemon 5 days ago | parent | prev [-]

It matters. That's often a generic phrasing used to make it look like it was a partner's fault. But very often it is simply a platform that was managed by and configured by the company itself, which would mean more than just social engineering. Take a look at the language used in other breaches and it's very similarly veiled.

MontagFTB 5 days ago | parent | prev [-]

Depending on the CRM, is this not a HIPAA violation?

marcusb 5 days ago | parent [-]

Why would it be? Is Allianz Life a covered entity? If so, why would it depend on the specific CRM being used?

tfehring 5 days ago | parent [-]

Allianz Life publishes a HIPAA privacy notice at [0], which states:

> This notice applies to individuals who participate in any of the following programs under the closed line of business:

> • Long term care

> • Medical

> • Medical supplemental

> • Hospital income

> • Cancer and disease specific coverage

> • Dental benefits

> The Covered Entity’s actions and obligations are undertaken by Allianz employees as well as the third parties who perform services for the Covered Entity. However, Allianz employees perform only limited Covered Entity functions – most Covered Entity administrative functions are performed by third party service providers.

It sold long term care insurance policies until 2010.

(Disclosure, I happen to have worked at Allianz Life a long time ago, though I have no nonpublic information about any of this.)

[0] https://www.allianzlife.com/-/media/Files/Allianz/PDFs/about...