Emerging ThreatsMalware & Ransomware

Ransomware Gang Exposes Alleged Liberty Mutual Data Trove

Analyst 207||Source: GovInfoSecurity
Data storage room with rows of file cabinets and servers, and an open laptop in the foreground.

"After the full publication, all the data was duplicated across various hacker forums and leak database sites," Everest said on its dark website.

What Everest Group says it took: 108 gigabytes and tens of thousands of files

Ransomware gang Everest Group posted what it claims is a 108‑gbyte trove of data it says was stolen from Liberty Mutual on April 30. The group has published files and folders it describes as containing policyholder information—explicitly naming customer names, addresses, policy numbers and financial and insurance details among the contents.

Everest framed the publication as the result of Liberty Mutual having "failed" to respond to its demands, then moving to release the material publicly. The group said the collection it published was quickly duplicated across other hacker forums and leak database sites.

Liberty Mutual acknowledges the allegation and points to a third‑party vendor

Liberty Mutual issued a statement acknowledging the online allegations and saying the company "immediately launched an investigation into online allegations regarding a data incident at Liberty Mutual." The insurer added that its current review "does not indicate a compromise of Liberty Mutual systems or networks" and that the matter "appears to involve an incident at a third‑party vendor."

The company information cited in the statement includes its reporting of net revenue of nearly $50.5 billion in 2025 and a description on its website as a Fortune 100 company with more than 40,000 employees in 27 countries, ranked as the ninth largest global property and casualty insurer.

Timeline: April 30 theft claim, publication after demands allegedly ignored

According to Everest’s account, the data was taken on April 30; the group published what it says is the full cache late Monday afternoon after declaring the insurer had not met its demands. Everest’s own posting emphasizes that once the material was released, the data proliferated beyond the gang’s site to multiple forums and leak databases.

The sequence asserted by Everest—alleged theft, a demand cycle, then public release—matches a pattern the group described on its dark website, but Liberty Mutual’s statement centers the investigation on a third‑party vendor rather than an internal systems breach.

What this means for policyholders, third‑party vendors, and security teams

  • Policyholders: Everest specifically named policyholder information—customer names, addresses, policy numbers and financial and insurance details—among the files it posted. Affected customers and insureds named in those files will need to monitor communications and any notifications Liberty Mutual or the vendor provide as the company continues its review.
  • Third‑party vendors: Liberty Mutual’s statement that the incident "appears to involve an incident at a third‑party vendor" places vendors squarely in the spotlight. Contractual security obligations and data handling practices for vendors that hold or process insurer data will be central to any subsequent inquiry.
  • Security teams at large insurers: The rapid duplication of the alleged 108‑gbyte cache across hacker forums and leak databases underscores the speed at which once‑published material can spread. Security teams will be watching for those mirrored postings as part of any containment and notification efforts while investigations proceed.

Scale and operational context: volume, duplication, and corporate scale

The size Everest claims—108 gigabytes—and its statement that the material was "duplicated across various hacker forums and leak database sites" highlights two operational challenges: first, the logistical task of identifying which specific files contain sensitive customer data within a large set of folders; second, the difficulty of reining in distribution once data is publicly posted.

Liberty Mutual’s description as a Fortune 100 insurer with nearly $50.5 billion in 2025 net revenue and operations in 27 countries frames the potential exposure across a sizable customer base and multiple jurisdictions. Those corporate facts were provided in Liberty Mutual’s publicly available materials and cited in the company’s response.

The immediate record from the parties involved is direct and circumscribed: Everest has published an alleged 108‑gbyte cache and claims tens of thousands of Liberty Mutual files; Liberty Mutual says it is investigating, that the matter appears tied to a third‑party vendor, and that its systems do not currently appear compromised. The next concrete steps will be determined by the ongoing investigation and any notifications the insurer or vendor issue to affected customers.

Original story

Data BreachEmerging ThreatsRansomwareEverest GroupLiberty MutualInsurance Sector
Related Intelligence

Continue Reading

Brightly lit office setting with computer workstation and server room in background.

Nissan Breach Exposes Employee Data After Oracle PeopleSoft Exploit

Nissan confirmed a data breach exposing employee information after a cyberattack exploited a critical vulnerability in Oracle PeopleSoft, part of a larger campaign that may have compromised hundreds of companies. The breach was tied to a specific threat actor targeting Nissan's personnel records.

Analyst 207
Brightly-lit office setting with a large window and subtle tech hint.

ShinyHunters Breach Exposes NAIC's Public Data

The National Association of Insurance Commissioners (NAIC) revealed that a breach exposed its public data after an unauthorized third party exploited a PeopleSoft vulnerability, identified as CVE-2026-35273, tied to the notorious ShinyHunters extortion group. This security issue allowed attackers to gain access to a portion of NAIC's IT systems, compromising sensitive information.

Analyst 207
Laptop on a desk with a Google Chrome browser window open displaying a search engine results page.

Malicious Chrome Extension Exploits Search Functionality for Data Interception

A malicious Chrome extension, masquerading as a popular AI search engine, was discovered to be secretly logging users' searches and address bar inputs, with Microsoft confirming that the data collection was no accident. The extension, since removed by Google, cleverly disguised itself as a legitimate tool, routing queries through an attacker-controlled server.

Analyst 207
Brightly-lit industrial setting shows subtle signs of disruption.

The Gentlemen Ransomware Gang Exposes Advanced Tactics

Meet The Gentlemen, a notorious ransomware gang that's made a name for itself with sophisticated tactics, ranking among the top 10 ransomware actors in just a few months. Since February 2026, they've been wreaking havoc across industries and geographies, with a strong presence in Brazil, China, Indonesia, Taiwan, and Thailand.

Analyst 207