On March 13, 2025, Goosehead Insurance Agency detected a ransomware attack where unauthorized actors encrypted systems and exfiltrated 300 GB of sensitive consumer data, including PII (names, Social Security numbers, driver’s license numbers, state IDs, and financial account details). The breach, attributed to the CHAOS ransomware group, impacted at least five Maine residents, with broader nationwide exposure likely. The attackers leaked the stolen data on the dark web (March 31, 2025), heightening risks of identity theft and financial fraud. The company disclosed the incident to regulators (Maine/California AGs) and affected individuals (October 10, 2025), offering fraud protection guidance. The attack combined data encryption, theft, and public exposure, severely compromising customer trust and operational security. Response measures included law enforcement engagement, system safeguards, and employee training, but the breach’s scale and sensitivity of exposed data pose long-term reputational and financial risks.
Source: https://www.claimdepot.com/data-breach/goosehead-insurance-2025
TPRM report: https://www.rankiteo.com/company/goosehead-insurance
"id": "goo2992929101325",
"linkid": "goosehead-insurance",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'at least 5 (Maine residents), '
'likely higher nationwide',
'industry': 'insurance',
'location': 'Westlake, TX, USA',
'name': 'Goosehead Insurance Agency, LLC',
'type': 'insurance agency'}],
'customer_advisories': {'dedicated_assistance_line': '855-291-2657 '
'(Monday–Friday, 8 '
'a.m.–8 p.m. CST)',
'guidance_provided': ['fraud alert placement',
'credit freeze instructions',
'monitoring financial accounts',
'reporting identity theft'],
'mailing_address': '1500 Solana Blvd Building 4, '
'Suite 4500, Westlake, TX 76262'},
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': ['names',
'Social Security '
'numbers',
'driver’s license '
'numbers',
'state identification '
'numbers'],
'sensitivity_of_data': 'high (SSNs, driver’s license numbers, '
'financial data)',
'type_of_data_compromised': ['PII',
'financial account information']},
'date_detected': '2025-03-13',
'date_publicly_disclosed': '2025-10-10',
'description': 'On March 13, 2025, Goosehead Insurance Agency discovered that '
'files within its systems, servers, and workstations had been '
'encrypted by an unauthorized actor. An internal investigation '
'revealed that between March 6 and March 13, 2025, this actor '
'gained access to certain systems and downloaded files '
'containing sensitive consumer data. The breach affected at '
'least five Maine residents, with the total number of '
'individuals impacted likely higher nationwide. The attack was '
'attributed to the ransomware group CHAOS, who claimed to have '
'stolen 300 GB of Goosehead’s data and posted about the hack '
'on the dark web on March 31, 2025. The attackers encrypted '
'files and exfiltrated data, raising the risk of identity '
'theft and financial fraud for affected individuals.',
'impact': {'brand_reputation_impact': 'high (due to sensitive data exposure '
'and public disclosure)',
'data_compromised': ['personally identifiable information (PII)',
'names',
'Social Security numbers',
'driver’s license numbers',
'state identification numbers',
'financial account information'],
'identity_theft_risk': 'high',
'legal_liabilities': 'potential (notifications to Maine and '
'California Attorneys General)',
'payment_information_risk': 'high',
'systems_affected': ['servers', 'workstations']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['consumer PII',
'financial data'],
'reconnaissance_period': '2025-03-06 to 2025-03-13'},
'investigation_status': 'completed (internal investigation; notifications '
'issued)',
'motivation': ['financial gain', 'data theft'],
'post_incident_analysis': {'corrective_actions': ['additional safeguards',
'employee training']},
'ransomware': {'data_encryption': True, 'data_exfiltration': True},
'recommendations': ['Monitor financial accounts and credit reports for '
'unusual activity',
'Place a fraud alert or credit freeze with major credit '
'bureaus (Equifax, Experian, TransUnion)',
'Remain vigilant for phishing attempts or suspicious '
'communications',
'Report suspected identity theft to law enforcement and '
'the Federal Trade Commission'],
'references': [{'source': 'Goosehead Insurance Agency Breach Notice'},
{'date_accessed': '2025-03-31',
'source': 'CHAOS Ransomware Group Dark Web Post'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Attorney '
'General',
'California Attorney '
'General']},
'response': {'communication_strategy': ['written notice to affected '
'individuals',
'dedicated assistance line',
'guidance on identity theft '
'protection'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['additional safeguards',
'employee training']},
'threat_actor': 'CHAOS (ransomware group)',
'title': 'Goosehead Insurance Agency Ransomware and Data Breach (2025)',
'type': ['ransomware', 'data breach', 'unauthorized access']}