HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

ShinyHunters Ransomware Group Exposes 269K Kemper Insurance Customer Records via Salesforce Compromise

In April 2026, the ShinyHunters ransomware gang breached Kemper Corporation's Salesforce environment through a phishing attack, leaking 269,299 records that contain personal identifiers and partial credit‑card data. The incident underscores the third‑party risk of SaaS credential compromise for insurers and their fintech partners.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 haveibeenpwned.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
haveibeenpwned.com

ShinyHunters Ransomware Group Exposes 269K Kemper Insurance Customer Records via Salesforce Compromise

What Happened — In April 2026, the ShinyHunters ransomware gang announced a “pay‑or‑leak” extortion campaign after gaining unauthorized access to Kemper Corporation’s Salesforce environment through a targeted phishing campaign. The attackers later published tens of gigabytes of data that included personal identifiers, contact information, and partial payment‑card details for 269,299 unique email addresses. Kemper confirmed the breach, engaged third‑party cybersecurity experts, and notified law enforcement.

Why It Matters for TPRM

  • Social‑engineering attacks on SaaS platforms can compromise large volumes of customer data across an entire supply chain.
  • Exposure of PII and partial payment‑card data creates downstream fraud and compliance risks for insurers, fintech partners, and downstream service providers.
  • Highlights the necessity of strict credential management, MFA enforcement, and continuous monitoring of third‑party cloud environments.

Who Is Affected — Insurance and financial services customers; downstream partners that consume Kemper’s APIs; SaaS providers (Salesforce) and payment processors (Stripe).

Recommended Actions — Review Kemper’s third‑party access controls and MFA enforcement; conduct credential hygiene audits for all SaaS accounts; verify encryption/tokenization of payment data; implement continuous monitoring for anomalous access to cloud services; consider contractual clauses for breach notification and remediation with SaaS vendors.

Technical Notes — Attack vector: phishing/social engineering to obtain valid Salesforce credentials; no public CVE was exploited. Exfiltrated data includes email addresses, names, phone numbers, physical addresses, and partial credit‑card data (last 4 digits, expiry dates, card brand). Source: https://haveibeenpwned.com/Breach/Kemper

📰 Original Source
https://haveibeenpwned.com/Breach/Kemper

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →