Houston-based VeriSource Services’ long-running probe into a February 2024 digital break-in shows the data of 4 million people – not just a few hundred thousand as it first claimed – was accessed by an “unknown actor”.

The tech company, which provides employee benefits administration services, began contacting those affected on April 23, and has now offered more details about the attack in a filing with Maine Attorney General’s office.

In addition to the estimated 4 million affected individuals, VeriSource said names, addresses, dates of birth, genders, and social security numbers may have been stolen, although the data points won’t be the same for each person.

The total number of affected individuals and the fact that gender and home address information may have been pinched are the main updates to the company’s previous notification letters sent out last year.

The filing with the Maine AG’s office – late last week – is the second disclosure released by the company. The earlier one was published in August 2024 with the US Health and Human Services Office for Civil Rights. According to that earlier filing, VeriSource thought at the time that only around 112,000 people were affected.

That initial notification followed the first round of investigations, which focused on determining whether sensitive data had been stolen. The latest one follows VeriSource’s work with its “client companies” to gather more information about the incident, which concluded on April 17.

In typical form for these kinds of disclosures, VeriSource said it hasn’t seen “evidence” to suggest any of the stolen data has yet been misused, saying it has worked with the FBI since the incident occurred more than a year ago.

No known cybercriminal groups have claimed responsibility for the attack, and VeriSource has not detailed the nature of the hit – whether it was a pure data grab, whether ransomware was involved, or otherwise.

Everyone who receives a letter from VeriSource about the attack is being offered credit monitoring and identity theft protection services for 12 or 24 months, again, as is typical in these situations.

“The privacy and protection of personal and protected health information is our top priority, and [VeriSource] deeply regrets any inconvenience or concern this incident may cause,” the company said in an online version of the notification letter.

The news comes after the FBI released its updated annual cybercrime figures last week, complete with all the signs of a worsening threat landscape.

Cybercrime cost US organizations and individuals an estimated $16.6 billion last year – a “staggering” sum and the highest on record. ®