When one click leads to crisis: What the Allianz breach teaches every business about being cyber aware

In July 2025, Allianz Life confirmed a significant data breach that exposed sensitive personal data of over 1.4 million US customers. This wasn’t a failure of firewalls or encryption.

It was a social engineering attack, a scam targeting people, not systems. Access was reportedly gained through a third-party service provider. Once inside, attackers exfiltrated names, birth dates, and Social Security numbers.

What’s most alarming?

This data can’t be changed.
Unlike passwords, your date of birth and ID number are permanent. For many Allianz customers, the risk of identity theft could follow them for years.

The real lesson: Cybersecurity is no longer just your IT team’s job

This breach is a stark reminder that your organisation is only as strong as your weakest human link. No matter how secure your internal systems are, if your third-party vendors or your own staff are not trained to detect phishing attempts, your data is at risk.

Social engineering tactics, like fake login pages, urgent emails, or spoofed client messages are getting more convincing and harder to spot. Cybercriminals aren’t just hacking networks anymore, they’re hacking people.

How do you avoid this?

1. Enforce MFA everywhere possible

Multi-Factor Authentication (MFA) adds a second layer of security, usually something you have (like a phone) or something you are (like a fingerprint). Even if login details are stolen, MFA prevents unauthorised access.

MFA should be required on all third-party SaaS platforms handling sensitive customer or internal data.

If your payroll system, CRM, or document storage tools don’t have MFA enabled, they are vulnerable.

2. Invest in real phishing awareness training

Phishing attacks are responsible for 91% of all cyber breaches. It only takes one employee clicking the wrong email to open the door to your entire system.

At NSP, we use KnowBe4, one of the most highly rated security awareness platforms globally. It enables us to simulate phishing attacks, track engagement, and upskill your staff over time, proactively, not reactively.

This means fewer risky clicks, more resilient behaviour, and fewer incidents like Allianz’s.

3. Audit Your third-party vendors

• Do you know if your third-party vendors use MFA?

• Do you have visibility into their security practices?

• Have you reviewed their access levels to your systems?

We help clients review their third-party risk exposure, ensure contracts enforce minimum security standards, and implement controls like conditional access or Zero Trust frameworks.

What's at stake?

The Allianz breach exposed data that now can’t be retracted or reset. For any business handling customer or personal data, especially in legal, real estate, finance, or health, this level of exposure is unacceptable.

You may not be a global insurer, but the impact of a breach can still be catastrophic:

• Financial penalties

• Reputational damage

• Loss of client trust

• Permanent exposure of private information

The bottom line

Breaches don’t start with a system failure. They start with a click, a missed update, or a complacent user. You can’t afford to wait until you’re the next headline.

Start with smarter controls, practical user training, and MFA across your stack.

How NSP Can Help

• Implement MFA across your devices and cloud tools

• Provide phishing simulations and user training

• Assess your third-party SaaS ecosystem for risks

• Build a proactive cybersecurity culture, not just tools

Frequently Asked Questions

1. What caused the Allianz data breach?

The breach occurred through a third-party vendor that was compromised via a social engineering attack. Attackers used tactics like phishing to trick users into giving up access credentials, bypassing traditional security controls.

2. Can MFA really prevent these kinds of attacks?

Yes. Multi-Factor Authentication (MFA) is one of the most effective safeguards against credential theft. Even if login details are compromised, MFA prevents unauthorised access without a second verification method (like a mobile app or biometric scan).

3. Why isn’t antivirus enough anymore?

Antivirus software protects against known threats, but it won’t stop phishing, social engineering, or credential-based attacks. These threats target users, not systems, and that’s where awareness training and layered security come in.

4. How can I make sure my staff won’t fall for phishing emails?

Regular, realistic phishing simulations and awareness training are essential. Tools like KnowBe4 help employees recognise suspicious emails before they click, reducing your risk significantly over time.

5. What’s the risk if I don’t assess third-party systems?

If your vendors or partners have access to your systems or data and they’re not secure, they become a backdoor into your business. Without visibility into their security posture, you’re exposed to breaches outside of your control.

Start your security awareness training

Contact us at hello@nsp.co.nz to get started with a user training program or a third-party security audit, alternative complete the form by clicking below.