FinSecLedger
Breach Analysis10 min read

Nusbaum Insurance Agency Breach Exposes SSNs and Financial Data for 263 Clients

Analysis of the Nusbaum Insurance Agency email breach affecting 263 individuals -- a 13-month notification delay, broad data exposure, and what it means for insurance sector security.

By FinSecLedger
Records: 263
Vector: unauthorized access
Status: confirmed
Occurred: Aug 1, 2024Discovered: Aug 1, 2024Disclosed: Sep 22, 2025
Exposed:NamesSSNDOBAddressesdrivers_licenseAccount #sEmail
Sources:Maine AG

13 Months of Silence After Email Compromise at Insurance Agency

Nusbaum Insurance Agency, a New York-based insurance agency, filed a breach notification with the Maine Attorney General on September 22, 2025, revealing that an unauthorized third party gained access to the agency's email environment in August 2024. The breach exposed names, Social Security numbers, dates of birth, addresses, driver's license numbers, account numbers, and email addresses belonging to 263 individuals. The data types exposed represent a near-complete identity profile -- the kind that enables everything from new account fraud to synthetic identity creation.

The most striking element of this incident is not its scale but its timeline. Nusbaum discovered the breach in the same month it occurred, August 2024, yet affected individuals did not receive notification letters until approximately 13 months later. For 263 people whose SSNs, financial account numbers, and government-issued ID numbers were sitting in a compromised email environment, that year-plus gap is time the threat actors had to monetize the stolen data while the victims had no idea they were exposed.

Timeline: Breach in August 2024, Notification in September 2025

The sequence of events exposes the slow mechanics of a small organization working through a breach investigation without the resources to move quickly.

August 2024: An unauthorized third party gains access to Nusbaum Insurance Agency's email environment. The agency discovers the intrusion in the same month -- a reasonable detection window, particularly for an email compromise where anomalous login activity or forwarding rules can trigger alerts.

August 2024 (post-discovery): Nusbaum engages its existing third-party IT provider to investigate the incident. This first-round investigation apparently proves insufficient, prompting the agency to bring in specialized forensic experts for a deeper analysis.

Between August 2024 and September 2025: The forensic investigation proceeds. The two-stage investigation -- first the IT provider, then the forensic specialists -- suggests the initial assessment could not determine the full scope of the compromise, forcing Nusbaum to escalate to experts with email forensics capabilities.

September 22, 2025: Nusbaum files its breach notification with the Maine AG and begins sending notification letters to affected individuals. The filing also notes that law enforcement was notified.

The 13-month gap between discovery and notification is extreme, even by insurance sector standards. The IOA breach involved a 200-day delay. The Cove Risk Services breach took 223 days. Nusbaum's timeline stretches past 390 days. For a breach affecting 263 individuals -- not 113,000 -- the length of that review process raises questions about the agency's investigative capacity and whether the two rounds of investigation introduced compounding delays.

What Data Was Exposed

The notification identifies seven categories of compromised personal information, each carrying distinct risk profiles:

Social Security numbers -- the highest-value data element. SSNs are permanent identifiers that cannot be changed and serve as the master key for credit applications, tax filings, and government benefit claims. With 263 SSNs exposed, the affected individuals face indefinite identity theft risk.

Dates of birth and driver's license numbers -- combined with SSNs, these create a verified identity package. Driver's license numbers are used for identity verification at financial institutions and government agencies, and unlike credit card numbers, they cannot be easily reissued.

Account numbers -- the filing does not specify whether these are bank accounts, insurance policy numbers, or both. For an insurance agency, this likely includes policy account identifiers and potentially banking details used for premium payments. Either way, account numbers paired with SSNs and DOBs create direct financial fraud exposure.

Names, addresses, and email addresses -- baseline PII that enables targeted phishing. An attacker who knows your name, email, home address, and the name of your insurance agency can craft highly convincing spear-phishing messages impersonating Nusbaum or its carriers.

The breadth of this exposure is disproportionate to the breach's scale. 263 individuals is a small count, but the data quality per record is exceptionally high.

How the Attack Happened

The breach was an email environment compromise -- an attacker gained unauthorized access to Nusbaum's email system, not its broader network or databases. This places the incident squarely in the business email compromise (BEC) category, the most financially destructive form of cybercrime tracked by the FBI's Internet Crime Complaint Center (IC3).

Email environment compromises at insurance agencies follow a predictable pattern. The attacker gains access through credential theft -- typically via phishing, credential stuffing, or password reuse -- and then accesses the contents of mailboxes that contain client communications. Insurance agents routinely email policy applications, claims documents, and account information. A single compromised mailbox belonging to an agent or account manager can contain years of client correspondence, attachments with SSNs, scanned driver's licenses, and signed application forms.

This pattern has repeated across the insurance sector. The Insurance Office of America (IOA) breach, disclosed in January 2026, originated from a phishing email that gave an attacker five days of network access and exposed 12,913 records. The Chalmers Insurance Group breach, filed in October 2025 and affecting 157 individuals, followed a similar email-based intrusion vector. The common thread: insurance agencies handle high-sensitivity PII through email workflows that were never designed for that level of data protection.

The two-stage investigation at Nusbaum -- first the IT provider, then forensic specialists -- suggests the initial responders could not fully trace the attacker's access through the email environment. Email forensics requires specialized tooling to reconstruct mailbox access logs, identify exfiltrated messages, and determine which attachments were viewed or downloaded. Many small agency IT providers lack this capability.

Who Is Affected

The 263 affected individuals are almost certainly policyholders, applicants, and claimants whose personal information was stored in Nusbaum's email system. Insurance agencies serve as intermediaries between carriers and customers, handling policy applications, endorsements, claims communications, and renewals -- all of which generate email traffic containing personal data.

Small insurance agencies like Nusbaum often represent multiple carriers, meaning the affected individuals' data may span different insurance products -- auto, home, life, commercial -- each with its own data collection requirements. A single client's email correspondence could contain their SSN from a life insurance application, their driver's license from an auto policy, and their bank account number from a premium payment setup.

The Central Islip, NY processing center location indicates that Nusbaum operates in a densely regulated state. New York policyholders may have recourse through the state's insurance department, which maintains oversight of agent conduct and data handling practices.

Regulatory and Legal Implications

The 13-month notification timeline places Nusbaum in a difficult regulatory position across multiple jurisdictions.

Maine breach notification law (Me. Rev. Stat. tit. 10 § 1348) requires notification "as expediently as possible and without unreasonable delay," with a 30-day hard deadline from the date the entity determines a breach has occurred. Even accounting for the extended forensic investigation, a 13-month window from discovery to notification will draw scrutiny from the Maine AG's office. The question regulators will ask: when did Nusbaum have enough information to determine that a breach had occurred, and how long after that determination did notification take?

GLBA Safeguards Rule applies to insurance agencies as financial institutions under Section 501(b) of the Gramm-Leach-Bliley Act. The FTC's updated Safeguards Rule requires covered entities to implement access controls, encryption, and monitoring for systems that handle customer financial information. An email environment containing SSNs, account numbers, and driver's license scans should have been protected by multi-factor authentication at minimum. Whether Nusbaum had MFA deployed on its email system is a key compliance question.

New York insurance regulation adds another layer. The NYDFS Cybersecurity Regulation (23 NYCRR 500) applies to entities licensed by the Department of Financial Services, including insurance agents and agencies. While small agencies may qualify for limited exemptions based on employee count and revenue, the regulation's core requirements -- risk assessments, access controls, and incident notification within 72 hours -- set the baseline expectation for New York-licensed insurance entities. If Nusbaum holds a DFS license, the 13-month notification gap is orders of magnitude beyond the 72-hour reporting requirement.

State insurance commissioners in any state where affected policyholders reside may open inquiries into the agency's data handling and notification practices. Insurance agents are licensed professionals, and a data breach of this nature can trigger license review proceedings.

The Insurance Agency Sector as a Persistent Target

Nusbaum's breach is small by headline standards -- 263 individuals will not generate the media attention of a six-figure breach count. But the incident is symptomatic of a structural vulnerability in the insurance distribution chain. There are approximately 400,000 licensed insurance agencies in the United States, most of them small businesses with fewer than 20 employees. These agencies collectively handle millions of policy applications, each containing the kind of sensitive data that was exposed here.

The FinSecLedger breach tracker shows a steady accumulation of insurance sector incidents. The Decisely Insurance Services breach, disclosed in October 2025, exposed 113,984 records through a cloud storage compromise at a benefits brokerage. At the other end of the scale, the Chalmers Insurance Group breach affected 157 individuals through what appears to be a similar email-based attack. The pattern spans the full range of agency sizes -- from single-office operations to national intermediaries -- because the underlying vulnerability is the same: sensitive client data transiting through and stored in email systems that lack adequate controls.

The FBI's IC3 has reported that BEC attacks caused over $2.9 billion in losses in its most recent annual report, with insurance and financial services among the top-targeted sectors. Email remains the primary business communication tool for insurance agencies, and until the industry adopts secure document exchange platforms that remove PII from email workflows, breaches like Nusbaum's will continue.

Credit monitoring through CyEx Identity Defense Complete -- the remediation Nusbaum is offering -- is a standard post-breach response. But for 263 individuals whose SSNs, DOBs, driver's license numbers, and account numbers have been exposed for over a year before notification, credit monitoring is a retrospective measure. The window for proactive fraud prevention closed long before the notification letters arrived.

Action Items for Financial Institutions

  1. Deploy multi-factor authentication on all email accounts. Phishing-resistant MFA -- FIDO2 hardware keys or passkeys -- should be the baseline for any account with access to client PII. SMS-based MFA is insufficient against credential-harvesting attacks targeting insurance agencies.

  2. Remove PII from email workflows. Policy applications, claims documents, and account information should be exchanged through encrypted client portals, not email attachments. If clients email sensitive documents, agents should have tools to strip and vault the data immediately.

  3. Establish incident response relationships before a breach occurs. Nusbaum's two-stage investigation -- first the IT provider, then forensic experts -- cost months. Agencies should have a pre-negotiated retainer with a digital forensics firm that includes email forensics capabilities.

  4. Implement email data loss prevention (DLP) rules. Automated scanning for SSN patterns, account numbers, and other PII in outbound and stored email can reduce the blast radius of an email compromise by identifying and flagging sensitive data before it accumulates in mailboxes.

  5. Review insurance agency vendor contracts. Carriers and MGAs that work with independent agencies should include cybersecurity requirements in their agency agreements -- MFA, encryption, breach notification timelines -- and verify compliance through periodic attestation.

  6. Audit mailbox retention policies. Email accounts at insurance agencies often retain years of client correspondence. Aggressive retention limits -- 90 to 180 days for messages containing PII -- reduce the volume of data exposed when a mailbox is compromised.

Tags:breachinsuranceunauthorized_accessemail-compromisemaine-agssn

Related Analysis

Roger Keith & Sons Insurance Breach: Phishing-to-RDP Attack Chain Hits Small Broker
7 min read
Garson Brothers Breach: Wire Fraud Attack Exposes SSNs at NY Asset Manager
6 min read
Chalmers Insurance Group Breach Exposes SSNs in Three-Day Network Intrusion
10 min read
DBS Insurance Email Breach Exposes SSNs and Medical Data
7 min read