Unauthorized Access to Vendor Database Exposes Farmers Insurance Customer Information

Farmers Insurance was alerted by one of its third-party vendors to suspicious activity in a vendor-managed database. An investigation confirmed that an unauthorized actor had accessed and exfiltrated customer data before the activity was contained. Farmers has since disclosed the incident publicly and begun notifying approximately 1.1 million impacted customers.

Severity Level: High

Incident Overview

• Date of Intrusion: May 29, 2025
• Detection Date: May 30, 2025
• Investigation Completion: July 24, 2025
• Disclosure/Notifications: August 22, 2025
• Affected Entity: Third-party vendor database containing Farmers customer records
• Scope: ~1,111,386 individuals impacted
• Support Offered: 24 months of free Cyberscout credit monitoring and identity protection services

Breach Details

• A third-party vendor’s database that contained Farmers customer information was targeted.
• Vendor monitoring tools detected unauthorized access quickly and blocked the actor.
• Despite rapid containment, data was acquired before access was cut off.
• A comprehensive forensic review confirmed personal data exposure.
• While the official notice does not name the vector, open-source threat intelligence attributes this campaign to the Salesforce OAuth abuse attacks (vishing + malicious app authorization) linked to ShinyHunters/Scattered Spider.

Data Exposed During The Breach

The following personal information was confirmed compromised:

• Name
• Home address
• Date of birth
• Driver’s license number
• Last four digits of Social Security number

Farmers emphasized that there was no evidence of additional sensitive data (e.g., full SSNs, financial accounts, or health data) being accessed.

Lessons Learned

• This incident highlights the need for stronger oversight of third-party vendors, particularly around how they store and secure customer data.
• Organizations must adopt stricter governance of OAuth applications and SaaS integrations to reduce risks from unauthorized access.
• Limiting the amount of sensitive data retained in external databases and enforcing rigorous vendor security requirements can greatly reduce exposure in the event of a breach.

Recommendations

1. Conduct mandatory vishing simulation training for all employees, especially IT support and helpdesk roles.
2. Educate staff on MFA push fatigue attacks and social engineering pretexts such as “Salesforce troubleshooting” or “security testing.”
3. Enforce MFA universally, including for Salesforce and connected apps. Ensure:
   • MFA is enforced at login and app authorization.
   • FIDO2 or phishing-resistant MFA methods are used where possible.
4. Restrict Salesforce Connected App authorizations:
   • Limit “Customize Application” & “Manage Connected Apps” to a vetted admin group
   • Use Salesforce allowlisting to permit only verified apps (e.g., block unknown apps like “My Ticket Portal”).
5. Enable Salesforce Shield with:
   • Transaction Security Policies to detect: Unusual data exports, App authorizations, Logins from TOR/VPN IPs
   • Event Monitoring to log: User access behavior, API calls, App installations
6. Enforce IP-based login restrictions in Salesforce:
   • Allow logins only from enterprise and VPN subnets
   • Block logins from known TOR nodes or suspicious IPs
7. Integrate with cloud security posture management (CSPM) to assess misconfigurations in Salesforce, Okta, and Microsoft 365.
8. For tools like Data Loader, which often require the “API Enabled” permission for full functionality, limit its assignment strictly.
9. Per Salesforce’s guidance, review and configure Data Loader access to restrict the number of users who can perform mass data operations, and regularly audit profiles and permission sets to ensure appropriate access levels.

Source:

• https://www.bleepingcomputer.com/news/security/farmers-insurance-data-breach-impacts-11m-people-after-salesforce-attack/
• https://www.farmers.com/content/dam/farmers/marketing/digital/aem/pdfs/disclosures/notice-of-incident.pdf
• https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/8e99d3e3-b1f1-4f30-bbb9-be7dfca5e281.html
• https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/f8689502-4645-45aa-a675-8c5e8fb1d96d.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.