Salesforce Sued Over Data Breach Affecting 1 Million Farmers Insurance Customers

3 min read time
Headshot of John A. Yanchunis, a Tampa-based whistleblower and qui tam lawyer from Morgan & Morgan Reviewed by John A. Yanchunis, Attorney at Morgan & Morgan, on September 2, 2025.
Media image.

Injured? 

We can help.

More than 1 million Farmers Insurance customers may have had their personal data exposed in a breach tied to Salesforce, a cloud-based software giant. 

A proposed class action recently filed in California federal court alleges that Salesforce’s systems were compromised, putting highly sensitive consumer information at risk—when the company should have been better secured to keep that data private.

 

What Happened With the Salesforce Data Breach?

According to the lawsuit, hackers gained access to Salesforce’s databases in or around May. The personal information exposed included:

  • Names
  • Addresses
  • Dates of birth
  • Driver’s license numbers
  • Partial Social Security numbers

Farmers Insurance discovered suspicious activity on May 30 involving unauthorized access to a third-party vendor’s systems, believed to be Salesforce. The company said monitoring tools helped it quickly detect and contain the incident, blocking the unauthorized actor.

However, plaintiffs argue the security failures were significant. Hackers allegedly targeted Salesforce through compromised customer “tokens” in an open authorization process and phishing attempts involving fake Salesforce apps.

 

Why Salesforce?

 

Salesforce is one of the largest providers of cloud services in the U.S., supplying customer relationship management (CRM), marketing automation, e-commerce, analytics, and artificial intelligence tools to corporations nationwide. Because of its central role in storing and processing sensitive data, the complaint describes the breach as a “hub-and-spoke” case: Salesforce is the hub, while companies like Farmers Insurance (and potentially others) are the spokes.

The concern is that if Salesforce was breached, the impact could extend far beyond Farmers Insurance’s 1.1 million affected customers, potentially affecting other Salesforce clients as well.

 

Legal Claims Against Salesforce

Plaintiff Malcolm Scott, a Florida resident, filed the proposed class action alleging negligence and multiple violations of privacy and consumer protection laws. The lawsuit includes claims for:

  • Negligence
  • Breach of implied contract
  • Breach of fiduciary duty
  • Invasion of privacy
  • Unjust enrichment
  • Violations of California’s Unfair Competition Law
  • Violations of the Driver’s Privacy Protection Act

The suit alleges that Salesforce and other defendants knew or should have known about weaknesses in their data security. By failing to adequately safeguard sensitive personal information, they exposed customers to identity theft and fraud.

 

What Are the Risks for Consumers?

Victims of this breach may face serious consequences, including:

  • Identity theft
  • Fraudulent financial activity
  • Compromised driver’s license or Social Security information
  • The need to spend significant time and money protecting accounts

Even if no fraudulent activity has occurred yet, victims are forced to take steps such as monitoring credit reports, freezing accounts, and remaining vigilant for phishing attempts.

 

What Are Plaintiffs Seeking?

The lawsuit is seeking monetary damages, including:

  • Actual and statutory damages
  • Punitive damages
  • Maximum compensation allowable under the law

While no specific dollar figure has been provided, the scope of the alleged breach and the number of affected consumers mean damages could be substantial.

 

Who Is at Fault for the Salesforce Data Breach?

When major third-party vendors like Salesforce are breached, the ripple effect can be massive, impacting millions of consumers across multiple companies.

This growing concern is also driving a growing trend in litigation: holding not just the company you gave your information to, such as Farmers Insurance, accountable but also the third-party technology providers that are supposed to safeguard that information.

While many lawsuits are being filed against Salesforce, some may include the partnering company that used the third party without vetting their security standards.

 

What You Can Do if You’re Affected

If you believe your data may have been exposed in the Salesforce breach, it’s important to act quickly:

  • Monitor your accounts and credit reports for unusual activity.
  • Consider placing fraud alerts or credit freezes with major credit bureaus.
  • Stay alert for phishing emails or suspicious login attempts that may use your stolen information.
  • Keep records of any fraudulent charges, suspicious communications, or steps you’ve taken to protect yourself.

     

How Morgan & Morgan Can Help

At Morgan & Morgan, we fight for the rights of consumers impacted by data breaches. If your information was exposed due to Salesforce’s alleged negligence, you may be entitled to financial compensation. Our attorneys are experienced in handling complex class action and data breach cases, and we’re here to help you pursue justice.

If you think you were affected by the Salesforce data breach, contact Morgan & Morgan today for a free case evaluation.

Disclaimer
This website is meant for general information and not legal advice.

Injured? Getting the compensation you deserve starts here.

An illustration of a broken car.