FinSecLedger
Breach Analysis9 min read

Decisely Cloud Breach Exposes 114K Across 225+ Employers

Decisely Insurance Services breach exposed SSNs, passport numbers, and bank accounts for 113,984 individuals after a cloud storage intrusion affecting MetLife and 225 partner organizations.

By FinSecLedger
Records: 113,984
Vector: hacking
Status: confirmed
Occurred: Dec 16, 2024Discovered: Dec 17, 2024Disclosed: Oct 8, 2025
Exposed:NamesSSNDOBAddressesPhoneEmailpassportAccount #sdigital_signature
Sources:Maine AG

Decisely Insurance Services, a benefits brokerage and HR technology provider headquartered in Alpharetta, Georgia, disclosed a data breach affecting 113,984 individuals after an attacker accessed its cloud storage platform and acquired data on December 16, 2024. The breach rippled across more than 225 partner organizations, including MetLife, making this one of the more significant vendor-driven incidents in the insurance sector in recent months. The supplemental filing with the Maine Attorney General on October 7, 2025, reveals a breach notification process that stretched across four separate waves of letters spanning June through September 2025 -- nearly ten months after the initial intrusion.

The compromised data includes Social Security numbers, passport numbers, bank account numbers, dates of birth, and digital signatures. That combination represents a full identity theft toolkit: enough to open financial accounts, file fraudulent tax returns, or commit passport fraud. For the 225+ small businesses and their employees caught in this breach, Decisely's cloud storage failure has created a long-tail exposure problem that will persist for years.

Timeline: From Cloud Intrusion to Ten Months of Notifications

December 16, 2024: The attacker acquires data from Decisely's cloud storage platform. The notification letter describes this as the date "some data may have been acquired."

December 17, 2024: Decisely discovers suspicious activity related to its cloud storage environment. The company secures the environment and begins an investigation, engaging external cybersecurity experts to determine the scope.

May 29, 2025: Decisely completes its analysis and identifies that data belonging to MetLife -- its first confirmed affected partner -- was involved. That is a 163-day gap between discovery and completing the data review for just one partner organization.

June 13, 2025: First wave of notification letters mailed on behalf of MetLife.

July 15-18, 2025: Second and third waves of letters go out, still on behalf of MetLife.

August 18, 2025: Decisely notifies its remaining partner organizations (beyond MetLife) and provides them access to lists of affected data subjects. This is the first time these 225+ organizations learned their data was involved -- eight months after the intrusion.

September 30, 2025: Fourth wave of notification letters mailed on behalf of 225 partner organizations. A total of 24 Maine residents were notified across all waves.

The timeline reveals a cascading notification problem inherent to vendor breaches. Decisely could not notify affected individuals directly because it processes data on behalf of client organizations. Each partner had to validate and confirm its data subjects before Decisely could issue letters. That coordination overhead stretched what was already a slow data review process into a ten-month notification saga.

What Data Was Exposed in the Decisely Breach

The exposed data is unusually broad for a benefits brokerage breach. According to the notification letter, the following data types were potentially acquired:

  • Social Security numbers -- the single most exploitable identifier for financial fraud, tax fraud, and synthetic identity creation
  • Passport numbers -- rarely exposed in corporate breaches, this creates international identity fraud risk and potential for fraudulent passport applications
  • Bank account numbers -- direct financial exposure; enables ACH fraud and unauthorized wire transfers
  • Dates of birth -- combined with SSN, completes the profile needed for credit applications
  • Digital signatures -- could be used to forge authorization on documents
  • Names, addresses, phone numbers, and email addresses -- standard PII that enables targeted phishing and social engineering

The passport number exposure stands out. Most benefits brokerage data involves employment and insurance records. The presence of passport data suggests Decisely's cloud storage contained immigration or identity verification documents -- the kind of records collected during onboarding or I-9 verification processes. For the small businesses relying on Decisely for HR services, this means employee documents they assumed were being securely managed were sitting in a compromised cloud environment.

How the Cloud Storage Attack Happened

Decisely's notification letter describes the incident as involving "suspicious activity related to its cloud storage platform." The company does not name the cloud provider or specify the attack vector -- whether it was compromised credentials, a misconfigured storage bucket, an API vulnerability, or an insider threat.

Cloud storage breaches in the HR and benefits sector have become a recurring pattern. The CNA Continental Casualty breach, disclosed in January 2026, followed a similar trajectory: a vendor (Conduent) was compromised, and the attacker maintained access for 84 days before detection. In Decisely's case, the company claims same-day detection -- discovering the intrusion on December 17, one day after data acquisition on December 16. If accurate, the detection speed is commendable, but the damage was already done: the data had been acquired before the activity was flagged.

The attack surface for benefits brokerages is significant. These companies aggregate sensitive data from hundreds of employer clients into centralized platforms. A single cloud storage compromise doesn't just affect one organization -- it cascades across every client whose data was stored in that environment. Decisely's 225+ partner organizations learned that lesson the hard way.

Who Is Affected

The 113,984 affected individuals span employees, dependents, and beneficiaries associated with 225+ small business clients of Decisely. MetLife is the only named partner organization, but the notification letter references hundreds of unnamed "current or former partner organizations to which Decisely is a service provider."

The geographic scope extends to at least Maine (24 confirmed residents), but given the multi-state nature of Decisely's small business clients, the affected population almost certainly spans all 50 states. The Maine filing is likely one of many state notifications.

The filing identifies Decisely as providing "benefits brokerage and human resources services, specializing in integrated technology solutions for small businesses." This positions Decisely as a PEO-adjacent vendor -- handling payroll, benefits, compliance, and retirement services for companies that outsource HR functions. Those services require collecting and storing exactly the kind of sensitive data that was compromised: SSNs for tax reporting, bank accounts for direct deposit, and identity documents for employment verification.

Regulatory and Legal Exposure

This breach triggers multiple regulatory frameworks simultaneously.

State breach notification laws: With 113,984 affected individuals across what is likely all 50 states, Decisely faces a patchwork of notification requirements. Maine's statute (10 M.R.S. § 1348) requires notification "as expediently as possible and without unreasonable delay" -- the ten-month timeline will draw regulatory attention. States like New York require notification within 60 days under the SHIELD Act.

GLBA Safeguards Rule: As a service provider handling financial data on behalf of insurance carriers and benefits plans, Decisely falls within the scope of FTC Safeguards Rule requirements that mandate comprehensive security programs for entities handling consumer financial information. The cloud storage compromise raises questions about whether Decisely maintained adequate access controls, encryption, and monitoring.

ERISA considerations: Because Decisely administers employee benefit plans, the breach may implicate ERISA fiduciary duties. Plan sponsors who engaged Decisely have an obligation to prudently select and monitor service providers. Those 225+ partner organizations are now evaluating whether Decisely met the security standards represented in its service agreements.

Insurance regulatory scrutiny: The MetLife connection draws attention from state insurance regulators. MetLife, as a carrier, has its own regulatory obligations under frameworks like the NYDFS Cybersecurity Regulation (23 NYCRR 500), which requires covered entities to conduct due diligence on third-party service providers. The NYDFS regulation specifically mandates that covered entities assess the cybersecurity practices of their vendors -- making Decisely's cloud security posture a compliance question for MetLife.

The FBI has been notified, according to the notification letter, and Decisely has retained Constangy, Brooks, Smith & Prophete as breach counsel -- a firm with deep experience in data breach litigation. Class action exposure is high given the volume of affected individuals and the sensitivity of the data types.

The Third-Party Risk Problem in Benefits Administration

Decisely's breach is a case study in the cascading risk that small business HR outsourcing creates. Small businesses outsource HR to vendors like Decisely because they lack the internal resources to manage benefits, payroll, and compliance. In doing so, they concentrate their most sensitive employee data -- SSNs, bank accounts, identity documents -- into a single vendor's environment.

When that vendor is breached, every client is affected simultaneously. According to FinSecLedger's breach tracker, third-party vendor compromises account for a significant share of financial sector breaches, and the trend is accelerating. The Insurance Office of America (IOA) breach, which affected 12,913 individuals through an insurance intermediary, illustrates the same dynamic: a single point of compromise in the vendor chain radiates outward to every client relationship.

The concentration risk is compounded by the notification complexity. Decisely could not simply notify affected individuals -- it had to coordinate with each partner organization, share data subject lists, and wait for validation before issuing letters. That coordination overhead added months to the notification timeline. The Verizon 2024 Data Breach Investigations Report found that third-party breaches are increasingly common and carry longer notification timelines precisely because of this coordination tax.

For financial institutions and insurance carriers that rely on HR outsourcing vendors, this breach is a reminder that vendor risk assessments cannot be a checkbox exercise. Cloud storage security, access controls, encryption standards, and incident response capabilities need to be evaluated -- and re-evaluated -- at the contract level.

Action Items for Financial Institutions

  1. For affected individuals: Activate the Kroll identity monitoring services using the membership number in your notification letter before the enrollment deadline. Place fraud alerts with all three credit bureaus and monitor bank accounts for unauthorized ACH transactions. Given the passport number exposure, check your passport status through the State Department and consider requesting a new passport number.

  2. For employer clients of Decisely: Request a detailed accounting of which employee records were compromised. Evaluate whether Decisely's security posture meets the standards represented in your service agreement, and document that evaluation for ERISA fiduciary compliance purposes.

  3. For peer institutions using benefits outsourcing vendors: Conduct an immediate review of your benefits vendor's cloud storage architecture. Verify encryption at rest and in transit, access control policies, and logging and monitoring capabilities. Request SOC 2 Type II reports and evidence of penetration testing.

  4. For insurance carriers with Decisely exposure: Assess notification obligations under your state insurance regulatory framework. If you are subject to NYDFS 500 or similar state cyber regulations, document your third-party risk management process for Decisely and file any required notifications with your primary regulator.

  5. For compliance teams: Update vendor risk assessment questionnaires to include specific questions about cloud storage platforms, data segregation between clients, and incident notification SLAs. The ten-month notification timeline here should inform minimum contractual requirements for vendor breach notification -- 30 to 60 days is an emerging industry standard.

Tags:breachinsurancecloud-compromisessnmainethird-party-riskmetlifevendor

Related Analysis

Velocity Risk Breach: Former Vendor WaterStreet Exposes 39,310
9 min read
CNA Continental Casualty Breach: Conduent Vendor Hack Exposes 5,875
9 min read
Teamsters Union 25 Benefit Plan Breach Exposes Member Data in Network Intrusion
9 min read
Batchelder Bros. Insurance Breach Exposes SSNs and Financial Data in Network Intrusion
9 min read