Telcom Insurance Group Breach Exposes Social Security Numbers

On May 26, 2025, Telcom Insurance Group experienced a ransomware attack that led to the encryption of several servers and files. The cybercriminal group known as LYNX claimed responsibility for the attack, later posting on the dark web on June 23, 2025, that they had obtained data from the organization and intended to publish it within days.

During the incident, the attackers gained potential access to email and work files belonging to certain Telcom Insurance Group executives. These files included sensitive personal information, including names and Social Security numbers.

The breach was confirmed to have affected at least two New Hampshire residents, according to a notice filed with the New Hampshire Attorney General. A disclosure was also filed with the Vermont Attorney General on Nov. 19, 2025.

The severity of the breach is notable due to the method of attack being ransomware and the type of data exposed. Ransomware attacks often involve not only the encryption of files but also the theft and potential public release of sensitive data if ransom demands are not met. In this case, the LYNX group’s dark web post heightened concerns about the possible dissemination of stolen information.

Telcom Insurance Group's response

Upon discovering the ransomware attack, Telcom Insurance Group launched an internal investigation to determine the scope of the incident. The company engaged its IT team and external security partners to enhance security measures and monitor for any leaked data, including on the dark web.

To identify affected individuals, Telcom Insurance Group retained the data mining firm Mindcrest, investing over $100,000 in forensic analysis. Once it was determined that Social Security numbers may have been compromised, the company also worked with TransUnion to locate current mailing addresses for those impacted.

Telcom Insurance Group has notified affected individuals in phases as they were identified and could be reached. For those affected, the company is offering 12 months of complimentary identity theft monitoring and restoration services through Kroll. The notification letters include instructions on how to enroll in these services, as well as detailed guidance on remaining vigilant, monitoring credit reports, and placing fraud alerts or security freezes if necessary.

Given the nature of this ransomware attack, it is especially important for anyone who receives a notification to take the following steps:

• Enroll in the free credit monitoring and identity restoration services offered
• Regularly review account statements and credit reports for any unauthorized activity
• Consider placing a fraud alert or security freeze with the major credit bureaus
• Report any suspicious activity to financial institutions and, if needed, to law enforcement or the Federal Trade Commission