So recently Ally bought or acquired...or whatever GMAC. I was never notified of the change until one day while checking my email I was notified of an outage that occurred on the GMAC (then changed to Ally) website from a company called Ally. I originally thought it was a scam and then after research found out that they had in fact gone from GMAC to Ally. Nonetheless, everything went on pretty much like normal. Then today while reading my email I noticed a weird notice from Ally about my "payment confirmation". I knew I hadn't made a payment online since I am auto pay and that it would have certainly not happened today. After opening the email I discovered the payment confirmation was for a different customer who I didn't know at all. In the email was the customer's first and last name, the last 5 numbers of their account (with stars and dashes which indicate the length and numbering of the account), the date and amount paid and the payment confirmation. Now granted this information won't walk me straight through a log in page but with some social engineering I'm sure someone could have easily called with the confirmation, stated that they couldn't remember their account number but had the last four/five digits, and asked if they could read back the card they used to pay because they think they typed it incorrectly yadda yadda. So then I got concerned that if I received this email...who might have received mine? How many others are affected. It had been a full 11 hours since the email was sent out with no outreach by Ally regarding anything likes. So I thought...maybe I was the only one. I decided to call Ally to let them know of the issue in case it could affect others. I had to call 7 times before I got connected to someone. Every time I called it would tell me that customer service was too busy taking calls due to their "new website" and would hang up on me! It was ridiculous...here I had a security risk and I couldn't even get a hold of a customer service representative. I looked at their site...no online chat, no email contact, just snail mail. Crazy! Finally, on the final try I got into the customer service cue. I would have sat there all day if I had to to get this security concern addressed. When I finally got a hold of someone I was told that they were aware of the issue and "not to worry about it". I didn't feel comfortable at all with the discussion and was surprised that if they were aware of it they hadn't sent out an email letting customers know about the situation and what to do if they are concerned. I kept pushing the concern I had with the CR and finally she asked if I'd like to be called back when they have the issue resolved. I of course said certainly. At that point she called the whole phone call resolved and asked me to stay on the phone for a survey. I skipped out on taking the survey.

Maybe I'm overreacting but I take the transferring of information very seriously as I am a web administrator and developer. All it takes is a CR not following the strict procedures and a little social engineering to get someone access to your bank account with the information "accidentally" sent to me.