VeriSource now says February data breach impacts 4 million people

Employee benefits administration firm VeriSource Services is warning that a data breach exposed the personal information of four million people. 

VeriSource is a Texas-based employee benefits administration and HR outsourcing solutions provider with diverse clients across the U.S.

The firm has begun data breach notifications to impacted individuals about a cybersecurity incident that occurred in February 2024, but the impact of which it took them until April 2025 to evaluate.

According to VeriSource’s investigation, the incident exposed sensitive information to external threat actors.

“On February 28, 2024, VSI became aware of unusual activity that disrupted access to certain systems,” reads the firm’s notice shared with the authorities.

“Upon discovery, VSI immediately took steps to secure its network and engaged a leading, independent digital forensics and incident response firm to investigate what happened and whether any sensitive data may have been impacted.”

“The investigation subsequently revealed certain personal information may have been acquired without authorization by an unknown actor on or about February 27, 2024.”

The process of determining who had their information exposed as a result of this breach was only concluded on April 17, 2025, and notices of a data breach were circulated on April 23.

In the sample VeriSource shared with Maine’s Attorney General’s office, the potentially impacted data types include an employee’s full name, address, date of birth, gender, and Social Security number (SSN).

VeriSource now offers twelve months of credit monitoring, identity protection, and identity restoration services to those impacted.

It should be clarified that VeriSource made attempts previously to inform impacted individuals, sending letters to 55,000 people in May 2024 and another 112,000 in September 2024. However, these figures are far from the total of 4,000,000 now disclosed.

If you have received a notification from VeriSource, even if admittedly late, it’s crucial to take advantage of the offered credit and identity protection service as soon as possible and remain vigilant for phishing attacks.

BleepingComputer has found no VeriSource entries on ransomware extortion portals, so the exact nature of the cybersecurity incident is unclear.