Cyber criminals are quickly changing their tactics, and one of the most obvious signs of an evolution in strategy is the emergence of data extortion operations that target the insurance industry. Instead of relying on a traditional ransomware model—where systems are encrypted and ransom payment restores access to the system—criminals seem to prefer taking sensitive data and then threatening to publish it unless a ransom payment is made. This has been a much more profitable approach, particularly with organizations that have access to many records with personally identifiable information and financial records. 

A recent example of this up-and-coming trend is the California Casualty Companies data breach, which came to light in November 2025. In this data breach, an unauthorized actor or actors accessed the insurer's networks over a period of days and there is the potential that highly sensitive information was compromised (e.g., social security numbers, driver's license numbers, financial account numbers, and tax identification numbers). Although the full extension of the data breach is still under development, this data breach demonstrates a larger shift in the tactics of the criminal actors: insurance providers are now attacked because the data stored in the organization is uniquely valuable for extortion purposes as well as identity fraud.

Why Insurance Companies Are Now Prime Targets for Extortion

Insurance firms have some of the most comprehensive identity profiles available across any industry, as policy writing, claims processing, underwriting, and regulatory compliance require far more paperwork than a single retail or hospitality breach could expose. This gives attackers a huge edge—upon getting access to a rich dataset, they can leverage more sensitive identity and financial information about individuals.

The extortion groups are increasingly leveraging the following components:

1. High-risk data creates high-pressure situations

The mere threat of leaking sensitive identity materials (e.g., Social Security numbers, banking accounts, tax identification numbers, etc.), applies tremendous pressure on organizations to pay to avoid it being made public. Unlike with encrypted data, victims can restore that data from backups. Stolen data, though, cannot be “un-leaked.” Once it is leaked, it will be available on dark-web markets in its own publicity/availability forever—and any victim may be at risk for years to come.

2. Insurance data supports layered blackmail and identity manipulation

Cybercriminals can weaponize stolen documents in ways much broader than simply selling the materials. Data such as claim histories, employment information, and medical or financial records can be used to continue to extort the individuals or organizations in other high-stakes situations. Extortion isn't narrow to organizations—that can now also be directed to the individuals whose identity information is stolen.

3. Multi-party systems increase the attack surface

Insurers often interact with claims adjusters, vendors, brokers, and technology partners. Each of those relationships represents an additional potential vulnerability. The frequency of attacks on ancillary systems to gain access to core data repositories is on the rise, and attackers are aware that third-party vendors may have a lower level of oversight on data access controls.

Double and Triple Extortion

Today’s extortion schemes go beyond demanding a ransom for stolen files. Most extortion schemes are "double-extortion," where the extortionist demands a ransom, and in addition to the ransom, they threaten to disclose the file to the public and alert everyone affected by the file or scheme to increase the fear factor. There are even operations that are known as "triple extortion" where all of the impacted parties are threatened, including business partners, clients, and regulators.

From the insurance perspective - especially for insurers in extremely trust-centric industries like first responders, educators, and medical professionals - the reputational risk is substantial. The leak of sensitive documentation can provide reputational damage that may exceed any immediate costs related to the data breach.

A Pivotal Moment in the Insurance Sector

The incident involving California Casualty points to a larger industry concern: the propensity to build cybersecurity frameworks that prioritize protecting against the disruption of operations and systems rather than data extraction. Today’s effective risk mitigation will also require enhanced forms of network segmentation, data minimization, encryption of stored records, and diligence over vendors.

For as long as personal identity data is more valuable to extract than to encrypt, attacks will continue to accelerate against insurance companies. The industry has reached a moment in time where rapid mitigation through proactive security and willingness to be transparent in the response phase matter for regaining public trust and protecting policyholders from permanent damage.