We recently discovered a 500GB database purportedly belonging to USG Insurance Services being leaked online for free on a popular Russian hacking forum. The cybercriminal leaking the data claims that it includes scans of sensitive documents containing such information as social security numbers and account balances.
The first part of the data was published on October 27, 2020, and the second part was made available November 4, 2020. It appears to be part of a failed post-breach negotiation, after the breached company opted to not pay the ransom.
The total leak is said to be 500GB in size, with a total of 5.25 million files:
We asked USG Insurance Services if they could confirm that the leak was theirs, and whether they have alerted their customers. However, we have not received any responses yet.
To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.
Who is the company behind the leak?
The leaked data appears to come from USG Insurance Services, Inc., which lists itself as a national wholesale broker specializing in providing “innovative solutions for hard to place commercial insurance.”
The leaked data includes:
- Applicant and spouse social security numbers
- Phone numbers
- Driver’s licenses
- Account balances
Because it is a broker, USG represents a variety of insurance carriers in all states. Based on the samples we saw from the leaked database, this matches up with USG’s description. A lot of the scanned documents are from various insurance companies:
While we don’t have access to the full 500GB database, we can see that each scanned document is roughly 200 KB in size. If the entire database was filled with scanned documents of equal size, that would mean that there are roughly 2.5 million such documents. The leaker claims that there are twice that amount – 5.25 million files – in the full database, which seems possible.
We downloaded on part of the file, 21B in size, and feel confident that the database belongs to USG Insurance. A lot of the files we saw were internal documents about USG’s customers, and their insurance partners, as well as some internal communications:
These files largely contained information about the customers’ policies, premiums, plans, and other related data.
Who had access to the data?
Because the data was made freely available on a popular Russian hacking forum from the end of October, it’s reasonable to assume that a sizable portion of the forum had access to the data.
The question remains how many actually accessed it, and of that, how many are using that data for their cybercriminal activities.
We attempted to contact USG Insurance Services, but have not received a response from them yet.
What’s the impact of the leak?
All of the documents we analyzed contained social security numbers – which is logical, since it is a required piece of information when applying for a loan.
Social security numbers are gold mines for cybercriminals, because it allows them to perform various identity theft attacks. These include:
- taking out loans in the victim’s name
- applying for credit cards
- collecting tax refunds
- collecting benefits and income
- commiting crimes
- setting up fraudulent phone numbers, websites and residences
- using the victim’s health insurance
Beyond that, these criminals could also scrape the social security numbers and sell them on the black market. The price of social security numbers vary: while one study estimated its worth at around $60, our own scans of the dark market saw prices as low as $5.
Criminals can also use the information listed here – names, account balances, social security numbers and addresses – in targeted phishing campaigns to steal money from the victims.
If you’re a customer of USG Insurance Services, Inc. or one of the carriers that it works with, there’s a good chance your data has been leaked. For that reason, we recommend you:
- Set up identity theft monitoring through your financial institution of choice
- Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails