AssuranceAmerica has disclosed a data breach affecting nearly seven million individuals after attackers gained access to company systems through a phishing attack targeting an employee. The insurer said the incident exposed driver’s license numbers, insurance records, and other personal information belonging to customers across multiple U.S. states.
According to breach notifications, the intrusion began on March 16 when an employee was tricked into providing access to the company’s network. AssuranceAmerica detected suspicious activity the following day and launched an investigation with the assistance of external cybersecurity specialists.
The company determined that the attackers accessed files containing information related to 6,998,886 individuals. The compromised data varies by person but may include names, addresses, dates of birth, driver’s license numbers, Social Security numbers, Tax Identification Numbers, automobile insurance policy details, claims information, vehicle information, and other personal records.
AssuranceAmerica said there is no evidence that financial account information or payment card data was affected. However, the exposed information could still present a significant identity theft risk because it contains government-issued identification numbers and insurance-related records that may be valuable to cybercriminals.
The insurer began notifying affected individuals by mail in June and is offering complimentary credit monitoring and identity protection services to eligible victims. The company is also encouraging customers to review account statements, monitor credit reports, and remain alert for suspicious communications that could attempt to exploit the stolen information.
The breach is believed to have impacted policyholders across more than a dozen states. State regulators have also received breach notifications as required under applicable data breach disclosure laws.
AssuranceAmerica said it has strengthened its security measures following the incident, including enhancing employee security awareness training and implementing additional safeguards designed to reduce the risk of similar phishing attacks. The company has not disclosed whether the attackers have been identified or whether any ransomware was deployed during the intrusion.
