Velocity Risk Breach: Former Vendor WaterStreet Exposes 39,310

Velocity Risk Underwriters, a Nashville-based property and casualty insurance underwriter, disclosed a data breach affecting 39,310 individuals after its former third-party vendor, WaterStreet Company, was hacked on March 17, 2025. The supplemental filing with the Maine Attorney General on September 4, 2025, reveals that WaterStreet was no longer providing services to Velocity at the time of the breach -- and that Velocity's termination agreement "provided that WaterStreet would not retain any data from Velocity." The data was still there.

The compromised information includes names, Social Security numbers (and Tax Identification Numbers), and financial account information. For nearly 40,000 policyholders, a vendor that was contractually obligated to delete their data instead kept it on systems that were subsequently breached. This case is a textbook example of why vendor offboarding is as critical as vendor onboarding -- and why data destruction clauses in service agreements are meaningless without verification.

Timeline: From Vendor Breach to Policyholder Notification

March 17, 2025: WaterStreet Company discovers suspicious activity in its environment. The company shuts down affected systems and launches an investigation with external cybersecurity specialists. The investigation confirms that an unauthorized actor accessed certain files on this date.

April 28, 2025: WaterStreet notifies Velocity -- 42 days after the breach -- that information related to Velocity may have been involved. This is the first time Velocity learns its data was compromised.

June 26, 2025: WaterStreet provides Velocity with data files identifying affected business clients and individuals, along with the types of information potentially compromised. Velocity begins its own review to confirm the data, verify affected individuals, identify associated clients, locate mailing addresses, and remove duplicates.

July 14, 2025: Velocity provides a preliminary estimate to Maine: approximately 19 residents affected.

August 22, 2025: Velocity completes its review and sends final data files to WaterStreet for notification purposes.

September 2-3, 2025: WaterStreet processes the files through the National Change of Address database and mails notification letters to affected individuals. The final Maine count: 22 residents. Total affected: 39,310.

The end-to-end timeline from breach to notification spans nearly six months. The delay breaks down into three phases: WaterStreet's 42-day delay in notifying Velocity, a two-month data exchange and review period between the companies, and another two months for Velocity's internal review and deduplication. Each phase is individually defensible, but the cumulative result is that policyholders learned their SSNs were compromised almost half a year after the breach occurred.

What Data Was Exposed

The notification confirms three categories of compromised data:

• Social Security numbers / Tax Identification Numbers -- the core identifier for financial fraud, tax fraud, and synthetic identity creation. TINs are included because Velocity, as an insurance underwriter, collects EINs and ITINs from agents, policyholders, and claimants.
• Financial account information -- likely bank account and routing numbers used for premium payments or claims disbursements
• Names -- combined with SSNs and financial data, provides a complete fraud profile

The data types vary by individual, meaning some affected persons had SSNs exposed while others may have had only names and account numbers. But the presence of SSNs across the affected population makes this a high-severity exposure regardless of the per-person variation.

How the WaterStreet Breach Happened

WaterStreet's notification letter describes the attack as an unauthorized actor accessing "certain files" on March 17, 2025. The company does not disclose the specific attack vector -- whether it was a vulnerability exploit, credential compromise, or ransomware deployment. The letter's reference to shutting down "potentially affected systems" and restoring them "to operability" suggests more than a simple data theft; this language is consistent with ransomware or destructive malware that required system recovery.

WaterStreet provided "back-office/policy administrative services" for Velocity, handling the operational infrastructure behind insurance policy issuance, management, and claims processing. The notification states that policies were "issued by Velocity and underwritten by State National Companies," revealing a multi-party insurance relationship: State National as the paper carrier, Velocity as the managing general underwriter, and WaterStreet as the technology and operations vendor.

This third-party chain -- carrier to underwriter to vendor -- is common in specialty insurance. It creates a data cascade where policyholder information flows through multiple organizations, each with its own security posture. The CNA Continental Casualty breach, also a vendor-originated incident through Conduent, demonstrated the same pattern: a back-office vendor's compromise exposing data across the insurance value chain.

The Data Retention Problem

The most significant detail in this filing is buried in the middle of the attorney's letter: "Notably, WaterStreet was no longer providing services for Velocity at the time of the incident and the termination agreement provided that WaterStreet would not retain any data from Velocity."

This sentence reveals a fundamental failure in vendor offboarding. When Velocity terminated its relationship with WaterStreet, the termination agreement included a data destruction clause -- standard language in vendor contracts that obligates the departing vendor to delete or return all client data. WaterStreet either failed to execute that destruction or retained copies of Velocity data despite the contractual prohibition.

Data retention after contract termination is one of the most common and least-addressed vendor risk failures in the insurance industry. Organizations invest heavily in vendor selection and onboarding -- due diligence questionnaires, SOC 2 reviews, contract negotiations -- but the offboarding process often consists of a termination letter and an assumption that the vendor will comply with data destruction requirements.

The Decisely Insurance Services breach, which exposed 113,984 records through a cloud storage compromise affecting 225+ partner organizations, illustrates the scale of data that benefits and insurance vendors accumulate. When those vendors are breached -- or in Velocity's case, when a former vendor retains data it was supposed to delete -- the downstream impact reaches across the entire client base.

Who Is Affected

The 39,310 affected individuals are associated with insurance policies issued by Velocity and underwritten by State National Companies. This likely includes policyholders, claimants, agents, and potentially their dependents or beneficiaries whose information was stored in WaterStreet's policy administration systems.

The Maine filing identifies 22 Maine residents in the affected population. Given that Velocity is a national underwriter operating in the property and casualty space, the affected population spans multiple states. State National Companies, the carrier named in the filing, is a Texas-based specialty insurer that underwrites programs across all 50 states.

Regulatory and Legal Implications

State insurance regulatory attention: Velocity, as a managing general underwriter, operates under delegated authority from State National Companies. State insurance departments that oversee MGU arrangements will want to understand how a terminated vendor retained policyholder data in violation of a contract -- and whether Velocity conducted any post-termination verification of data destruction.

NAIC Insurance Data Security Model Law: States that have adopted the NAIC Insurance Data Security Model Law (based on the NYDFS Cybersecurity Regulation framework) require licensed insurers and their authorized representatives to implement comprehensive information security programs that extend to third-party service providers. Velocity's failure to verify data destruction at a terminated vendor could constitute a compliance gap under these frameworks.

FTC and GLBA implications: Financial account information and SSNs fall under GLBA protections. The FTC Safeguards Rule requires covered entities to oversee service providers' handling of customer information -- including data destruction at the end of the service relationship. Velocity's reliance on a contractual data destruction clause without verification exposes a gap that regulators may examine.

Class action risk: The combination of SSN exposure, a contractual data destruction failure, and a six-month notification timeline creates strong grounds for class action litigation. Plaintiffs' attorneys will argue that Velocity's damages were entirely preventable -- if WaterStreet had complied with the termination agreement, no Velocity data would have been present on WaterStreet's systems when they were breached.

The Vendor Offboarding Gap

Velocity's breach exposes a risk that most financial institutions acknowledge in theory but fail to address in practice. According to FinSecLedger's breach tracker, third-party vendor breaches remain one of the most common origins for financial sector data compromises. But this incident goes further: it's not an active vendor that was breached -- it's a terminated vendor that retained data in violation of a contract.

The insurance industry's reliance on delegated authority relationships, managing general agents, third-party administrators, and back-office vendors creates a sprawling data supply chain. Data flows from policyholders to agents to MGUs to carriers to vendors and back. At each handoff, data accumulates in systems that may outlast the business relationship.

The FBI IC3 2023 Internet Crime Report and the Verizon DBIR consistently highlight third-party compromises as a growing vector, but neither adequately captures the terminated-vendor retention problem because it's rarely disclosed as a root cause. Velocity's unusual transparency in noting the terminated relationship makes this filing an important reference point for the industry.

Action Items for Financial Institutions

1. For affected individuals: Activate the complimentary 12-month IDX credit monitoring using the enrollment code in your notification letter before the December 3, 2025 deadline. Place fraud alerts with Equifax, Experian, and TransUnion. Monitor bank accounts linked to your insurance policies for unauthorized transactions.

2. For insurance carriers and MGUs: Audit your terminated vendor relationships. Identify every vendor that has been offboarded in the past three years and request written certification that client data has been destroyed. Do not accept a contractual obligation as evidence of compliance -- require a certificate of destruction signed by an authorized officer, and consider requesting independent verification.

3. For vendor management teams: Build data destruction verification into your vendor offboarding checklist. This should include: a formal destruction request with a specified deadline, a signed certificate of destruction, and for high-risk vendors, an independent audit or technical validation that data has been purged from all systems including backups.

4. For legal and compliance teams: Review your template vendor agreements. Ensure data destruction clauses include: a specific timeframe for destruction (30 days post-termination is standard), a requirement for written certification, the right to audit or verify destruction, and liquidated damages for non-compliance. The Velocity case demonstrates that a generic "shall not retain" clause is insufficient.

5. For board and executive reporting: This breach should be flagged as a case study in vendor lifecycle risk. The question for every insurance company board is simple: how many former vendors still have access to our policyholder data? If you can't answer that question with certainty, your vendor risk program has a gap.