IMA Diligence Services: Genesis Ransomware Breach Exposes 525,306

IMA Diligence Services has notified 525,306 individuals that their personal, financial, and medical information was compromised in a December 2025 intrusion against a legacy third-party server. The Genesis ransomware group claimed responsibility for the attack in January 2026, alleging it exfiltrated 700 GB of data. The breach is now the largest confirmed ransomware-related incident against a U.S. finance firm in the past year, eclipsing the prior leader by more than 150,000 records.

What Happened

According to IMA's notice to victims, the company became aware of suspicious activity "on or about December 16, 2025," on a legacy server hosted by an unnamed third-party provider. Investigators determined that an unauthorized actor had accessed the file server and acquired files containing personally identifiable information. The server has since been decommissioned and is no longer in use.

In January 2026, the Genesis ransomware group listed IMA Diligence Services on its data leak site and claimed to have exfiltrated 700 GB of data. IMA has not publicly acknowledged Genesis' claim, and it remains unverified whether the company engaged with the threat actor or paid a ransom. The initial intrusion vector has not been disclosed.

Affected individuals are being offered 12 months of free credit monitoring through Cyberscout, with a 90-day enrollment window from the date of the breach notification letter.

What Was Taken

The exposed dataset is unusually broad, combining financial, governmental, and medical identifiers in a single victim profile. Compromised data elements include:

• Full names
• Social Security numbers
• Health insurance information
• Medical information
• Financial account information
• Driver's license numbers
• Passport numbers
• Taxpayer identification numbers

This combination provides everything required for synthetic identity creation, tax fraud, medical insurance fraud, and account takeover against high-value financial relationships. The presence of passport numbers and taxpayer IDs alongside health and financial records is consistent with diligence workflows that aggregate underwriting and KYC materials, which are inherently rich targets.

Why It Matters

This incident represents a significant escalation in ransomware impact against the financial services sector. Comparitech researchers logged 70 confirmed ransomware attacks against U.S. finance firms in 2025, collectively exposing more than 2 million records. The IMA breach alone accounts for roughly a quarter of that yearly total, dwarfing the next-largest finance incident, Akira's compromise of Wakefield & Associates, which affected 371,577 people.

The attack is also a notable pivot for Genesis. Since emerging in October 2025, the group has claimed 76 attacks with 10 confirmations, concentrated in healthcare, local government, and small retail. IMA is its first publicly listed financial sector victim, suggesting Genesis is broadening its target aperture toward higher-value verticals where stolen data carries greater monetization potential.

For defenders, the mechanism of compromise is the more important signal: a decommissionable legacy server hosted by a third party, holding production-grade PII. This pattern, forgotten infrastructure outside the primary monitoring perimeter, continues to dominate root-cause findings across the sector.

The Attack Technique

The initial access vector has not been disclosed, and IMA has not commented on Genesis' claim. However, the public details suggest a characteristic third-party legacy infrastructure compromise:

• The compromised asset was a legacy file server hosted by an external provider, indicating it likely fell outside the primary corporate EDR, SIEM, and patching cadence.
• Genesis' tooling is reported to perform both data theft and system encryption, consistent with the modern double-extortion model. The 700 GB exfiltration claim points to either prolonged dwell time, weak egress monitoring, or both.
• The gap between intrusion discovery (December 16, 2025) and leak site listing (January 2026) is consistent with a failed or refused ransom negotiation, after which Genesis moved to public extortion.

Common precursors for similar legacy-server intrusions include exposed RDP and SMB services, unpatched VPN appliances, valid credentials reused from infostealer logs, and stale service accounts retained on third-party hosts.

What Organizations Should Do

1. Inventory and decommission legacy third-party hosted infrastructure. Audit every file server, archive host, and "temporary" project asset stored with external providers. Confirm each is actively monitored or formally retired with data securely destroyed.
2. Extend EDR, logging, and egress monitoring to vendor-hosted assets. If a server holds production PII, it must produce telemetry into your SIEM regardless of where it physically sits. Unmonitored systems are where 700 GB exfiltrations succeed unnoticed.
3. Treat KYC and diligence data stores as crown-jewel assets. Apply tokenization, field-level encryption, and strict access logging to repositories holding SSNs, passport numbers, taxpayer IDs, and medical data in combination.
4. Hunt for Genesis indicators across healthcare, government, and finance environments. Given the group's rapid expansion since October 2025 and the limited public IOC sharing, proactive threat hunting on lateral movement and exfiltration patterns is warranted.
5. Validate ransomware preparedness with double-extortion scenarios. Tabletop exercises should assume that data theft has already succeeded by the time encryption is detected, and should include legal, communications, and regulator notification workflows.
6. Reassess third-party contractual obligations. Vendors hosting legacy systems should be required to attest to monitoring, patching, and incident notification timelines, with audit rights and clearly defined data destruction terms on decommissioning.

Sources: Finance firm IMA warns 525,000+ people of data breach - Comparitech