Liberty Mutual Insurance is facing a class action lawsuit alleging it failed to safeguard the personally identifiable information (PII) and protected health information (PHI) of more than 15,000 clients exposed in a recent ransomware attack attributed to the Everest group. Everest has since listed these sensitive records on its dark web leak site. Both plaintiffs report downstream harm already — a surge of phishing and scam contacts in one case, fraudulent charges to a checking account in the other — and are seeking nationwide and Massachusetts subclass certification, with claims spanning negligence, breach of implied contract, invasion of privacy, and violations of the Massachusetts Consumer Protection Act.

The case illustrates a pattern that has become central to ransomware litigation: the legal and reputational damage is driven less by encryption of systems and more by the exfiltration of unencrypted sensitive data that precedes it. Modern ransomware operators like Everest routinely spend days or weeks inside an environment staging data for theft before any ransomware payload fires — moving laterally, abusing valid credentials, and pushing large volumes of PII and PHI out through legitimate-looking channels such as HTTPS, cloud storage APIs, or DNS tunneling.

Reducing that exposure requires visibility into the full attack chain, not just the encryption event. Effective detection of ransomware-driven data theft depends on correlating identity and authentication events, endpoint behavior, east-west network flows, DNS activity, and packet-level egress data in a single analytical plane — with baselining of normal data volumes per user, application, and destination so that anomalous exfiltration stands out before terabytes leave the network. Unified cybersecurity and observability platforms like NIKSUN give security teams the cross-domain context needed to catch and stop staging and exfiltration in progress. Read more about this story on our LinkedIn page