Cyber Incident Victim: Insurance Services Office

In July 2015, New Jersey-based Insurance Services Office (ISO), a provider of information and analytics to the property and casualty insurance industry, disclosed a breach of its insurance policyholder database. A county prosecutor’s office in New Jersey confirmed unauthorized access to the database, which contained sensitive personal information including contact details, dates of birth, Social Security numbers, insurance policy numbers, and driver’s license numbers. The breach impacted an undisclosed number of consumers insured by participating companies that contributed data to ISO’s systems. Law enforcement requested ISO delay consumer notifications to avoid interfering with their criminal investigation, though the exact timeline of the breach discovery and investigation launch remains unspecified in available records. ISO initiated notifications after authorities permitted disclosure but did not reveal whether forensic analysis identified the intrusion method or attack vector.

ISO offered affected individuals one year of complimentary credit monitoring through AllClear ID and AllClear PRO services as part of its response. The organization’s notification template did not confirm any evidence of data misuse, nor did it disclose whether arrests or charges had been filed in connection with the incident. Investigators had not publicly determined whether the breach resulted from external attacks or insider actions at the time of disclosure. The compromised database served as a central repository for insurer-submitted policyholder records, exposing customers of multiple insurance carriers to potential identity theft or fraud risks. No technical details regarding database security controls, remediation efforts, or system modifications were included in ISO’s public communications about the incident.