VeriSource bumps up potential victim count of data breach to 4 million

News
By published

Up from 55,000 a year ago

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)
  • VeriSource started sending out data breach notification letters and reported the February 2024 incident to Maine's AG
  • It now says the number of victims is four million, up from the initial 55,000
  • Names, addresses, and SSNs were grabbed in the attack

Four million people may have had their sensitive data stolen in the Verisource data breach that happened last year. The company confirmed the news in a new filing with the Office of the Maine Attorney General, as well as in a data breach notification letter sent to affected individuals.

VeriSource Services is a Houston-based employee benefits administration company, with clients in different industries in the US, including healthcare, education, and the public sector.

It recently started sending out data breach notification letters, in which it said that it became aware of “unusual activity” that disrupted access to certain systems, on February 28, 2024. The subsequent investigation, which concluded on April 17, 2025, determined that threat actors stole “certain personal information” the day before being spotted.

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

Get Keeper Personal for just $1.67/month, Keeper Family for just $3.54/month, and Keeper Business for just $7/month

​Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.

It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.

Preferred partner (What does this mean?)

View Deal

Unknown attackers

The information stolen includes people’s names, addresses, dates of birth, gender information, and/or Social Security numbers (SSN). “Please note that VSI has no evidence of any actual or suspected misuse of information involved in this incident,” the company said.

It is also worth mentioning that no one has so far assumed responsibility for the attack and the data has not surfaced anywhere on the dark web. Therefore, it is difficult to determine if this was a simple smash-and-grab, or a ransomware attack.

While the letter didn’t say how many people were affected by the breach, a listing on the website of the Maine Attorney General’s Office puts the number of victims at four million, up from 55,000 in May 2024, and another 112,000 in September 2024.

VeriSource said that it offers 12 months of free credit monitoring, identity theft protection, and identity restoration services to the victims. Although it might sound too little too late, the fact that the data hasn’t surfaced yet could mean the offering might make sense.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.