International Insurer VUMI Group Allegedly Breached, 300K Policyholders and 25K Staff Exposed With SSNs, Passports, and W-9 Forms

Summary

Threat actor bytetobreach claims to have breached VUMI Group, an international health and life insurance provider, exposing approximately 300,000 insured clients and over 25,000 staff members. The exfiltration reportedly includes complete PII, Social Security Numbers, scanned passport documents, and U.S. W-9 tax forms, with the actor providing detailed proof screenshots of the attack chain. The stolen data is being distributed via OwnCloud with the actor seeking contact through Session or Signal messaging.

Full text

Dark Web Informer - Cyber Threat Intelligence International Insurer VUMI Group Allegedly Breached, 300K Policyholders and 25K Staff Exposed With SSNs, Passports, and W-9 Forms April 13, 2026 - 2:12:51 PM UTC United States Insurance Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-04-13 14:12:51 UTC Threat Actor bytetobreach Victim VUMI Group International Insurance Industry Insurance Category Data Breach Insured Clients ~300,000 Staff / Partners / Agents 25,000+ Exfiltration Duration 6 Days Severity Critical Price Contact Seller Network Open Web Country United States Incident Overview A threat actor going by bytetobreach claims to have breached VUMI Group, an international health and life insurance provider. VUMI Group operates globally and provides coverage to expatriates, multinational organizations, and high-net-worth individuals. The actor states the exfiltration took 6 days using carefully calibrated parameters to avoid crashing the server, and emphasizes that all databases and documents were taken exclusively from VUMI Group with no third-party involvement. The breach reportedly exposes approximately 300,000 insured clients and over 25,000 staff, partners, and agents. The actor describes the dataset as containing "everything" and specifically highlights the following: Complete PII: Full personally identifiable information for both agents and clients. Social Security Numbers: SSNs for affected individuals, confirmed by a dedicated proof screenshot (5_SSN_NUMBERS.png). Passport Documents: Scanned passport documents for policyholders, confirmed by a separate proof screenshot (6_PASSPORT.png). W-9 Tax Forms: U.S. tax forms containing taxpayer identification numbers, legal names, addresses, and certification signatures. The actor provided a methodical series of proof screenshots documenting the attack chain: 1_POSSIBLE_VULNERABILITY.png (initial vulnerability discovery), 2_PAYLOAD.png (exploit delivery), 3_DB_ENUM.png (database enumeration), 4_EXFILTRATION.png (data extraction), 5_SSN_NUMBERS.png (SSN data proof), and 6_PASSPORT.png (passport document proof). This structured proof format suggests a deliberate, documented attack rather than an opportunistic data grab. The data is being distributed through OwnCloud with two backup links, and the actor prefers contact via Session or Signal messaging. Given that VUMI Group serves expatriates and international clients, the combination of SSNs, passport scans, and W-9 forms creates an exceptionally high identity theft risk. Passport documents in particular enable travel document fraud, while W-9 forms provide the exact information needed for tax identity theft. Compromised Data Categories Social Security Numbers Passport Documents (Scans) W-9 Tax Forms Complete PII (Clients & Agents) Insurance Policy Data Staff & Partner Records Agent Network Data Database Contents Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application The documented attack chain shows vulnerability discovery followed by payload delivery against VUMI Group's web-facing infrastructure to gain initial access to the insurance database. T1213 Data from Information Repositories Database enumeration followed by systematic extraction of policyholder records, agent data, SSNs, passport documents, and W-9 forms from VUMI Group's insurance management systems. T1589.001 Gather Victim Identity: Credentials Harvests SSNs, passport data, and W-9 tax forms for 300,000 insured clients and 25,000+ staff/agents, creating a comprehensive identity theft and tax fraud dataset. T1030 Data Transfer Size Limits The actor explicitly used throttled extraction parameters over 6 days to avoid crashing the server, indicating careful data transfer size management during the exfiltration. T1567 Exfiltration Over Web Service Distributes the stolen insurance data through OwnCloud with two backup download links, with the actor preferring Session and Signal for buyer communications. T1005 Data from Local System Collects scanned passport documents and W-9 tax forms stored on the insurance company's file systems, representing document-level data beyond structured database records. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Entities