Liberty Mutual: Everest Ransomware Breach Exposes 15,000+ Policyholders

"Liberty Mutual Insurance is facing a class action lawsuit in the U.S. District Court for the District of Massachusetts after the Everest ransomware group exfiltrated 108 GB of data tied to more than 15,000…"

Liberty Mutual Insurance is facing a class action lawsuit in the U.S. District Court for the District of Massachusetts after the Everest ransomware group exfiltrated 108 GB of data tied to more than 15,000 policyholders. The complaint, Francis et al. v. Liberty Mutual Insurance Co., No. 1:26-cv-12056, was filed May 7, 2026, alleging negligence, breach of implied contract, invasion of privacy, and violations of the Massachusetts Consumer Protection Act after attackers published the stolen trove on May 4, 2026.

What Happened

On April 30, 2026, the Everest ransomware group claimed responsibility for stealing 108 gigabytes of policyholder data from systems connected to Liberty Mutual Insurance. After the insurer reportedly failed to respond to ransom demands, Everest published the full data dump on May 4, 2026. Liberty Mutual has publicly stated it is investigating "a possible incident at a third-party vendor" and maintains that its own internal systems and networks do not appear to have been compromised. However, file metadata included in the leaked archive suggests the entire trove was created or staged on January 26, 2026, raising the possibility that adversaries maintained access to the vendor environment for roughly three months before exfiltration. This is the same Everest crew tied to the April 2026 attack against Citizens Bank customers, indicating continued targeting of U.S. financial services and insurance verticals.

What Was Taken

The leaked dataset totals 108 GB, comprising 52,429 files distributed across 14,979 folders. According to the complaint and public review of the dump, exposed records include:

Policyholder full names and physical addresses
Liberty Mutual policy numbers
Financial details tied to policies
Records belonging to both current and former Liberty Mutual customers

The plaintiffs estimate more than 15,000 individuals are affected, though the complaint notes the investigation is ongoing and the true population may grow as forensic review continues.

Why It Matters

This incident reinforces the legal and reputational exposure carriers carry for third-party vendor breaches, even when their core infrastructure is untouched. The plaintiffs' core argument hinges on the months-long gap between initial intrusion (suggested by January 26 timestamps) and public disclosure: when did Liberty Mutual know, or when should it have known, that customer data was at risk? For the broader insurance sector, this is a precedent-setting test of vendor accountability, breach notification timelines, and the duty to monitor downstream data processors. Everest's continued operational tempo across financial services also signals that policyholder PII remains a high-value target for double-extortion campaigns, especially where insurers hold long-tail records on individuals' assets, claims history, and finances.

The Attack Technique

Technical indicators remain limited, but the available evidence points to a classic double-extortion playbook executed against a third-party vendor in Liberty Mutual's data supply chain. Everest typically gains initial access via stolen or brokered credentials, exposed remote access services, or unpatched edge appliances, followed by lateral movement, staging of bulk file shares, and exfiltration prior to encryption or data publication. The reported January 26 file-creation timestamps across the entire archive suggest the operators staged a large copy of vendor file shares months before publication, then waited out the ransom negotiation window before leaking. Liberty Mutual has not confirmed the specific vendor, intrusion vector, or whether encryption was deployed alongside exfiltration.

What Organizations Should Do

Inventory every third-party vendor that processes policyholder, claims, or PII data, and verify contractual breach-notification SLAs are tight enough to satisfy state laws and the Massachusetts Consumer Protection Act standard.
Require vendors to provide evidence of MFA on all administrative access, EDR coverage on systems handling regulated data, and immutable backups, with audit rights baked into renewal cycles.
Hunt for Everest TTPs and known indicators across vendor-adjacent network segments, focusing on anomalous outbound transfers, bulk file enumeration, and credential reuse from third-party access paths.
Implement data minimization and tokenization for PII shared with vendors so that any stolen archive yields reduced identity-theft value.
Pre-stage breach response playbooks for vendor-origin incidents, including legal review of notification triggers, regulator engagement, and customer communication templates.
Monitor Everest's leak site and threat intelligence feeds for sector-adjacent victims that may indicate shared vendors or upstream compromise.

Sources: Liberty Mutual Ransomware Lawsuit, Were Your Records Stolen?