Liberty Mutual, the Boston-based global insurance carrier, is investigating a data breach claimed by the Everest ransomware group after the threat actor began publishing 108 GB of allegedly stolen data on May 4, 2026. The leak followed a three-day countdown posted to Everest's dark web site on April 30, and went live after the insurer reportedly declined to engage with ransom demands. The cache contains 52,429 files spread across 14,979 folders, with timestamps suggesting collection in early 2026.

What Happened

Everest listed Liberty Mutual on its dark web leak portal on April 30, 2026, giving the company a 72-hour window to respond before publishing the stolen archive. When that deadline passed, the group began releasing the full 108 GB cache on May 4. Liberty Mutual has launched an investigation but disputes the actor's framing of a direct network compromise, stating publicly that the incident appears to trace back to a third-party vendor and that its own internal networks remain intact. Independent security researchers reviewing the leak samples noted the presence of policy data tied to brokers operating in Florida, Illinois, and Washington, which lends weight to the supply chain attack theory.

What Was Taken

The leaked cache reportedly includes a broad cross-section of policyholder and corporate client records, including:

The number of affected individuals has not been disclosed. The presence of terrorism coverage records and corporate client documentation is particularly notable, as this category of policy typically involves high-value enterprise customers and sensitive risk assessments that could be exploited for downstream targeting.

Why It Matters

Insurance carriers sit on dense concentrations of personally identifiable information, financial records, and underwriting data that map to both individual and corporate risk profiles. A leak of this size against a tier-one carrier like Liberty Mutual gives criminal buyers a ready-made dataset for identity fraud, business email compromise targeting named insureds, and reconnaissance against the corporate clients whose terrorism and specialty policies were exposed. The dispute over attack vector also matters: if the breach truly originated at a vendor, every downstream insurer or broker sharing that platform may be exposed to the same intrusion.

The Attack Technique

Everest has not published technical details of the intrusion, and Liberty Mutual has not corroborated a direct network breach. The carrier's attribution of the incident to a third-party vendor, combined with the broker-specific regional clustering observed in the leak samples, points toward a supply chain compromise rather than a perimeter breach of Liberty Mutual itself. Everest has historically gained initial access through stolen or brokered credentials, exposed remote services, and partnerships with initial access brokers, then exfiltrates large volumes of data for double extortion leverage rather than relying solely on encryption.

What Organizations Should Do

  1. Inventory third-party vendors with access to policyholder, broker, or underwriting data and require them to confirm whether their environments were touched in this incident.
  2. Tighten contractual breach-notification SLAs and audit rights with insurance technology vendors, brokers, and managing general agents.
  3. Monitor for credential reuse and authentication anomalies tied to broker portals, vendor integrations, and federated identity systems.
  4. Notify corporate clients whose specialty coverage (terrorism, kidnap and ransom, executive protection) may have been exposed, given the targeting value of those records.
  5. Hunt for Everest-associated tooling and indicators across vendor-connected segments, and verify offline, immutable backups for any insurance-adjacent systems.
  6. Brief fraud and customer service teams on heightened risk of phishing and account takeover attempts impersonating Liberty Mutual or its brokers.

Sources: Everest Ransomware Group Leaks 108 GB of Alleged Liberty Mutual Data