A stolen employee credential gave an attacker unrestricted access to the insurance records and driver's license numbers of 6.99 million Americans, in the largest known US driver's license exposure reported in 2026.
AssuranceAmerica, an Atlanta-based auto insurer, detected suspicious activity in its network on March 17, 2026. BleepingComputer reported that an external forensics investigation traced the intrusion to March 16, when an attacker used compromised employee credentials to access portions of the company's IT environment and began copying customer data files. The stolen records cover 6.99 million individuals and include names, contact details, automobile insurance policy information, vehicle and driver data, claims records, and driver's license numbers. The company completed its review of the accessed data on June 15 and began notifying affected customers in July.
AssuranceAmerica's disclosed response included disabling the compromised credentials, terminating unauthorized sessions, isolating affected systems, resetting passwords, and deploying enhanced monitoring. The company has stated that it has no current evidence of fraudulent use of the stolen records.
Two things are worth examining closely.
What scanners would have missed
The attacker did not exploit a vulnerability. They used a valid password.
Vulnerability scanners classify risk by matching observed conditions against known-bad signatures. A CVSS score describes a flaw in software. Neither applies when an attacker authenticates as a legitimate employee. From the application's perspective, a stolen credential and a genuine one produce identical sessions.
DAST tools might probe the employee login portal for injection flaws or authentication bypasses. They will not test what a correctly authenticated session can reach from the inside. SCA adds nothing relevant here. SAST cannot surface an access control gap that lives in application configuration and business logic rather than code syntax.
Here is what the scanner gap looks like in concrete terms for this breach:
- No scanner tested whether a single employee account could bulk-export the full customer record set.
- No scanner assessed whether the API behind the employee portal enforced per-session row limits or export ceilings.
- No scanner modeled the blast radius if one account in the employee directory were compromised.
- No scanner flagged that 6.99 million records were reachable from a single authenticated session.
The failure mode is not a missing patch. It is a privilege scope that was never treated as an attack surface.
What Sekura would have shown
Sekura's Phase 3 agent (dynamic probing) works from inside authenticated sessions, not from the unauthenticated perimeter.
After Phase 2 recon identifies the employee-facing portal as an attack surface, Phase 3 probes it from the perspective of a correctly authenticated session. It tests for bulk data export paths, API endpoints that accept wildcard queries, pagination handlers without row caps, and access control boundaries that differ between user roles. Where a single session can reach data beyond what that role's function requires, the agent records a finding.
Here is what the attack path would have looked like in Phase 3's output:
Phase 3 would have produced a finding showing that a single authenticated employee session could enumerate and download the full customer dataset through the internal API, with no enforced row ceiling. In Phase 4 (exploit synthesis), we would then generate the proof: a deterministic script that authenticates with a test credential and confirms the complete export path, demonstrating the blast radius before any unauthorized party reached it.
I think that distinction matters. No CVE exists for "overly permissive employee data access." CVSS has no score for it. But a working proof of bulk export makes the risk concrete in terms any incident response team can act on directly.
The bigger pattern
Credential-based intrusions have become the dominant pattern in US insurance-sector breach disclosures in 2026. The sequence is consistent: one employee credential obtained via phishing or credential reuse, one authenticated session, and access to everything that session can reach.
Insurance companies are a frequent target for this pattern. They hold driver's license numbers, claims histories, vehicle details, and payment records. That combination is directly useful for identity fraud and insurance fraud. The systems holding that data were built for employee workflow efficiency, not for limiting the blast radius of a single compromised account.
The perimeter has been hardened over many years. The attacks have moved to the inside.
If you want to see what proof-first access testing looks like on your own employee authentication surface, book a POC.