Skip to content
Support
Donations
Data Breaches

International Insurer VUMI Group Allegedly Breached, 300K Policyholders and 25K Staff Exposed With SSNs, Passports, and W-9 Forms

 and  Dark Web Informer
10 min read
Dark Web Informer - Cyber Threat Intelligence

International Insurer VUMI Group Allegedly Breached, 300K Policyholders and 25K Staff Exposed With SSNs, Passports, and W-9 Forms

April 13, 2026 - 2:12:51 PM UTC
United States
Insurance
Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more.
View API
Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously.
Subscribe Now

Quick Facts

Date & Time 2026-04-13 14:12:51 UTC
Threat Actor bytetobreach
Victim VUMI Group International Insurance
Industry Insurance
Category Data Breach
Insured Clients ~300,000
Staff / Partners / Agents 25,000+
Exfiltration Duration 6 Days
Severity Critical
Price Contact Seller
Network Open Web
Country United States

Incident Overview

A threat actor going by bytetobreach claims to have breached VUMI Group, an international health and life insurance provider. VUMI Group operates globally and provides coverage to expatriates, multinational organizations, and high-net-worth individuals. The actor states the exfiltration took 6 days using carefully calibrated parameters to avoid crashing the server, and emphasizes that all databases and documents were taken exclusively from VUMI Group with no third-party involvement.


The breach reportedly exposes approximately 300,000 insured clients and over 25,000 staff, partners, and agents. The actor describes the dataset as containing "everything" and specifically highlights the following:

  • Complete PII: Full personally identifiable information for both agents and clients.
  • Social Security Numbers: SSNs for affected individuals, confirmed by a dedicated proof screenshot (5_SSN_NUMBERS.png).
  • Passport Documents: Scanned passport documents for policyholders, confirmed by a separate proof screenshot (6_PASSPORT.png).
  • W-9 Tax Forms: U.S. tax forms containing taxpayer identification numbers, legal names, addresses, and certification signatures.

The actor provided a methodical series of proof screenshots documenting the attack chain: 1_POSSIBLE_VULNERABILITY.png (initial vulnerability discovery), 2_PAYLOAD.png (exploit delivery), 3_DB_ENUM.png (database enumeration), 4_EXFILTRATION.png (data extraction), 5_SSN_NUMBERS.png (SSN data proof), and 6_PASSPORT.png (passport document proof). This structured proof format suggests a deliberate, documented attack rather than an opportunistic data grab.


The data is being distributed through OwnCloud with two backup links, and the actor prefers contact via Session or Signal messaging. Given that VUMI Group serves expatriates and international clients, the combination of SSNs, passport scans, and W-9 forms creates an exceptionally high identity theft risk. Passport documents in particular enable travel document fraud, while W-9 forms provide the exact information needed for tax identity theft.

Compromised Data Categories

Social Security Numbers Passport Documents (Scans) W-9 Tax Forms Complete PII (Clients & Agents) Insurance Policy Data Staff & Partner Records Agent Network Data Database Contents

Image Preview

Forum post by bytetobreach showing VUMI Group International Insurance logo and initial vulnerability proof screenshot Attack chain proof screenshots, 300K insured and 25K staff exposure details, OwnCloud download links, and Session/Signal contact preferences

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.
Subscribe
Subscriber Access View the original listing URL and unredacted claim images on the feeds below.
Threat Feed Ransomware Feed

MITRE ATT&CK Mapping

T1190 Exploit Public-Facing Application
The documented attack chain shows vulnerability discovery followed by payload delivery against VUMI Group's web-facing infrastructure to gain initial access to the insurance database.
T1213 Data from Information Repositories
Database enumeration followed by systematic extraction of policyholder records, agent data, SSNs, passport documents, and W-9 forms from VUMI Group's insurance management systems.
T1589.001 Gather Victim Identity: Credentials
Harvests SSNs, passport data, and W-9 tax forms for 300,000 insured clients and 25,000+ staff/agents, creating a comprehensive identity theft and tax fraud dataset.
T1030 Data Transfer Size Limits
The actor explicitly used throttled extraction parameters over 6 days to avoid crashing the server, indicating careful data transfer size management during the exfiltration.
T1567 Exfiltration Over Web Service
Distributes the stolen insurance data through OwnCloud with two backup download links, with the actor preferring Session and Signal for buyer communications.
T1005 Data from Local System
Collects scanned passport documents and W-9 tax forms stored on the insurance company's file systems, representing document-level data beyond structured database records.

Dark Web Informer © 2026 | Cyber Threat Intelligence
DarkWebInformer.com

Related

Latest