Roger Keith & Sons Insurance Agency, a long-standing Massachusetts-based insurance provider (since 1869), suffered a phishing attack in January 2025, where an unauthorized actor accessed an employee’s email and infiltrated the company’s network via a remote desktop tool. The breach was confirmed in October 2025, exposing highly sensitive personal, financial, and health data of current and former clients including Social Security numbers, driver’s license details, passport numbers, military IDs, financial account credentials (with access info), usernames/passwords, and limited health records. The incident was reported to the Maine and Massachusetts Attorneys General, with notifications sent to affected individuals. While the total number of victims remains undisclosed, the breach poses severe risks of identity theft, financial fraud, and long-term reputational harm. The agency offered free credit monitoring (Experian IdentityWorks) and advised victims to place fraud alerts, monitor accounts, and seek legal recourse. Class action lawsuits are being investigated by firms like Shamis & Gentile P.A. for potential compensation claims.
Source: https://www.claimdepot.com/investigations/roger-keith-insurance-data-breach-2025
TPRM report: https://www.rankiteo.com/company/roger-keith-&-sons-insurance-agency
"id": "rog0192501103025",
"linkid": "roger-keith-&-sons-insurance-agency",
"type": "Breach",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Undisclosed (Current & Former '
'Clients)',
'industry': 'Insurance (Personal & Business)',
'location': {'branches': ['Lakeville',
'Marion',
'Weymouth',
'Dennis Port',
'Hanson'],
'headquarters': 'Brockton, Massachusetts, '
'USA'},
'name': 'Roger Keith & Sons Insurance Agency',
'type': 'Insurance Agency'}],
'attack_vector': 'Phishing (Email Compromise) & Remote Desktop Tool '
'Exploitation',
'customer_advisories': ['Credit monitoring enrollment (Experian '
'IdentityWorks)',
'Fraud alert placement',
'Regular account monitoring',
'Legal rights consultation'],
'data_breach': {'data_exfiltration': "Suspected (Data 'Accessed or Acquired')",
'number_of_records_exposed': 'Undisclosed',
'personally_identifiable_information': ['Full Name',
'Date of Birth',
'SSN',
'Driver’s License '
'Number',
'Passport Number',
'Government-Issued ID',
'Mother’s Maiden Name',
'Credit/Debit Card '
'Numbers',
'Financial Account '
'Numbers',
'Usernames & '
'Passwords'],
'sensitivity_of_data': 'High (Includes SSN, Financial Account '
'Data, Health Info)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Information',
'Health-Related Information',
'Authentication Credentials']},
'date_detected': '2025-01-27',
'date_publicly_disclosed': '2025-10-29',
'description': 'Roger Keith & Sons Insurance Agency, a Massachusetts-based '
'insurance agency, discovered that an unauthorized actor '
'gained access to an employee email account via a phishing '
'attack, subsequently accessing the company’s network '
'environment through a remote desktop tool. Sensitive '
'personal, health, and financial information of current and '
'former clients may have been accessed or acquired. The breach '
'was disclosed on October 29, 2025, with notifications sent to '
'affected individuals by mail.',
'impact': {'brand_reputation_impact': 'Potential Reputation Damage (Class '
'Action Lawsuit Investigation '
'Initiated)',
'data_compromised': ['First and last name',
'Date of birth',
'Social Security number',
"Driver's license number",
'Passport number',
'Military or other U.S. government-issued '
'identification number',
"Mother's maiden name",
'Credit or debit card number (with access '
'information)',
'Financial account number (with access '
'information)',
'Username and password',
'Limited health-related information'],
'identity_theft_risk': 'High (Sensitive PII Exposed)',
'legal_liabilities': 'Potential Class Action Lawsuit & Regulatory '
'Scrutiny',
'payment_information_risk': 'High (Credit/Debit Card & Financial '
'Account Data Exposed)',
'systems_affected': ['Employee Email Account',
'Network Environment (via Remote Desktop '
'Tool)']},
'initial_access_broker': {'data_sold_on_dark_web': 'Suspected (Not Confirmed)',
'entry_point': 'Employee Email Account (Phishing)',
'high_value_targets': ['Client PII',
'Financial Data',
'Health Information']},
'investigation_status': 'Ongoing (Class Action Lawsuit Investigation by '
'Shamis & Gentile P.A.)',
'motivation': 'Likely Financial Gain (Data Theft for Fraud/Identity Theft or '
'Sale on Dark Web)',
'post_incident_analysis': {'root_causes': ['Successful Phishing Attack '
'(Employee Email Compromise)',
'Inadequate Remote Desktop Tool '
'Security',
'Lack of Multi-Factor '
'Authentication (MFA) or Access '
'Controls']},
'recommendations': ['Enroll in free credit monitoring (Experian '
'IdentityWorks)',
'Monitor financial statements for suspicious activity',
'Place a fraud alert on credit reports',
'Request free annual credit reports from major bureaus',
'Seek legal counsel for potential compensation'],
'references': [{'date_accessed': '2025-10-29',
'source': 'Roger Keith & Sons Insurance Agency - Data '
'Security Incident Notice'},
{'source': 'Shamis & Gentile P.A. - Class Action '
'Investigation'}],
'regulatory_compliance': {'legal_actions': 'Potential Class Action Lawsuit '
'(Under Investigation by Shamis & '
'Gentile P.A.)',
'regulatory_notifications': ['Maine Attorney '
'General (2025-10-29)',
'Massachusetts '
'Attorney General '
'(2025-10-29)']},
'response': {'communication_strategy': ['Website Notice (2025-10-29)',
'Mail Notifications to Affected '
'Clients',
'Regulatory Disclosures (Maine & '
'Massachusetts AGs)'],
'incident_response_plan_activated': 'Yes (Review Confirmed '
'Breach on 2025-10-06)',
'remediation_measures': ['Public Notice (Website & Mail '
'Notifications)',
'Offer of Free Credit Monitoring '
'(Experian IdentityWorks)']},
'stakeholder_advisories': ['Public Website Notice',
'Mail Notifications to Affected Clients'],
'threat_actor': 'Unauthorized Actor (Unknown)',
'title': 'Roger Keith & Sons Insurance Agency Data Breach',
'type': 'Data Breach (Phishing & Unauthorized Access)',
'vulnerability_exploited': 'Human Error (Phishing Susceptibility) & Weak '
'Remote Access Controls'}