US insurance giant Liberty Mutual has been claimed by the Everest ransomware group – allegedly exposing over 100 GB of data, including the personal and financial information of thousands of individual policyholders.

Liberty Mutual Insurance appeared on the ransomware gang’s dark leak site on Thursday, along with a three-day deadline to make contact with the group.

“The files will be published after the timer counts down. The company still has time to get in touch with us,” the group posted above its signature countdown clock.

What data was taken?

Everest claims to have stolen a 108 GB cache – the equivalent of exactly 52,429 files, or 14,979 folders, according to its victim post.

The large-scale Liberty Mutual dataset purportedly contains “tens of thousands” of insurance-related documents, including customer-facing records, individual policy documents, and generated forms.

Everest says the large-scale collection of records contains personally identifiable information (PII), including but not limited to:

• customer names
• addresses
• policy numbers
• financial and insurance details

“The dataset also includes multiple file formats such as: .doc, .pdf, .txt, .json, .afp, .vpf, .tgz,” Everest claims, with the entire trove allegedly created earlier this year on Wednesday, January 26th, 2026.

The posted proof samples, which Cybernews has reviewed, do not appear to contain any highly sensitive documents; instead, they show basic insurance policy information tied to several large corporate clients, a terrorism policy dated October 2025 through October 2026, and one group privacy notice.

Those companies, which appear to be insurance brokers working with Liberty Mutual, are located in Florida, Illinois, and Washington state.

Cybernews has reached out to Liberty Mutual for comment and is awaiting a response at the time of this report.

Not Liberty Mutual’s first breach

Headquartered in Boston, Liberty Mutual is considered the 6th largest insurer in the world, serving millions of individuals and businesses and operating in 27 countries and economies, according to a company profile.

With an annual consolidated revenue of $50 billion, the 110-year-old Fortune 100 company has more than 40,000 employees worldwide across three major divisions: US retail markets, Global Risk Solutions, and Liberty Mutual Investments.

It's also not the first time Liberty Mutual has found itself facing fallout from a major cyber incident.

The global insurance company suffered several breaches in 2021 via three different third-party consumer quote tools, exposing the personal data of over 50,000 New York policyholders.

Found liable for failing to protect consumer data in October 2025, the New York State Attorney General’s Office slapped Liberty Mutual with a $2 million settlement related to the 2021 cyberattack – part of a $14 million settlement against 10 insurance companies.

In addition to the penalties, the companies were required to adopt a series of measures to strengthen their cybersecurity practices, the Attorney General’s office said at the time.

Ironically, Liberty Mutual also launched its own cyber insurance product last October for both personal and commercial customers fearful of falling victim to ransomware.

The insurance giant was listed on April 30th alongside the US-based legal and compliance technology solutions provider Morae Global Corporation, to which Everest also claims to have exfiltrated a 261 GB database of sensitive records.

Who is Everest?

According to Cybernews’ Ransomlooker tool, Everest has listed 280 victims on its dark blog since 2023, including over 116 in the past 12 months.

The gang recently targeted the financial sector, listing Frost Bank and Citizens Financial Group in April and claiming to hold sensitive customer and account-linked records tied to both US banks.

Both banks later said the breach stemmed from a third-party vendor, not direct unauthorized access to their own networks.

Everest also threatened to leak 900GB of internal Nissan data last month unless the automaker paid up, later publishing details about the alleged breach and negotiations.

Active since at least 2020, Everest runs a double-extortion model – stealing data, encrypting systems, and threatening to publish files if victims don’t pay.

The cartel has also branched into initial access brokerage, selling network footholds when direct extortion doesn’t pay.

In recent months, Everest has claimed attacks on major brands and institutions, including BMW, Collins Aerospace, Coca-Cola's Middle East division, and Under Armor.

The gang has also targeted US-based Pacific HealthWorks, the North American gourmet cookie shop chain Crumbl, email marketing behemoth Mailchimp, and the US hotel chain Radisson Country Inn and Suites.

First spotted around 2021, Everest made early headlines after the 2022 attack on US telecommunications behemoth AT&T, when the group claimed access to AT&T’s entire corporate network.

The hacker cartel is believed to be linked to the BlackByte ransomware group.

---

Unlock more exclusive Cybernews content on YouTube.