VeriSource cops to 4 million accounts lost in 2024 data breach

VeriSource confirmed that the personal information of at least four million people was taken in a February 2024 data breach.

The company said in a statement that a threat actor breached its network and accessed the personal data of employees and dependents that were on its VSI services platform.

VeriSource and its parent company VSI provide HR management platforms for organizations, including employee benefit programs. The disclosed information is said to include names, addresses, dates of birth, gender classification, and Social Security numbers.

In short, everything an identity thief would need to pull off a devastation attack on a targeted individual.

"On February 28, 2024, VSI became aware of unusual activity on our network environment," the company said.

“Upon discovering this activity, VSI immediately took steps to secure our network and launched an investigation with the assistance of independent cybersecurity experts.”

VSI detailed the investigation and notification process, explaining that between working with forensic investigators and speaking with its clients internally, the entire process took more than a calendar year.

“VSI also notified its client companies and continued to work with them to collect the necessary information to notify additional individuals affected by this incident,” the company said. 

“That process was completed on April 17, 2025. We then took steps to notify impacted individuals of the incident as quickly as possible.”

It is not known if any of the pilfered information was used in fraud attacks during that time, though VSI said it has not received reports of the data being traded or abused in the wild.

The notice did not explicitly mention credit monitoring services, but did said the company would be offering “resources that potentially impacted individuals could utilize to protect their information, including the opportunity to enroll in complimentary identity protection services through IDX.”

While the company’s notification did not give the number of people exposed in the incident, state-mandated disclosure entries list the number of impacted individuals at 4 million.

VSI did not disclose just how the cybercriminals were able to get into its systems or access the sensitive data. They also did not disclose whether that data was encrypted at the time of the attack.

“As soon as VSI discovered the incident, we took the steps referenced above. VSI notified the Federal Bureau of Investigation and will provide whatever cooperation is necessary to hold the perpetrators accountable, possible,” VSI said.

“VSI also notified the U.S. Health and Human Services Office for Civil Rights and consumer reporting agencies of this incident. VSI is also taking additional steps to prevent a similar event from occurring in the future.”