Back-Office Service Provider Reports 1.6 Million Affected by Dual Hacks in 2024

Landmark Admin, a Texas-based vendor specializing in back-office administrative services for life insurance and annuity firms, has reported that approximately 1.6 million individuals and over a dozen of its clients may be affected by consecutive data exfiltration events that occurred in 2024. The breaches have compromised a broad spectrum of personal, financial, and health-related information.

According to their latest breach notification, the incidents began with unauthorized access initiated by cybercriminals in May 2024. Shortly thereafter, the attackers re-entered the system using a backdoor linked to a third-party backup appliance. Despite the Landmark environment being built on a hardened Linux architecture designed to withstand cyber threats, these security measures were inadequate in preventing the breaches.

Landmark first identified anomalous activities on its network on May 13, 2024, leading to the confirmation of data theft two days later. The organization managed to recover the exfiltrated data by May 16, though it has not disclosed whether this recovery involved paying a ransom to the attackers. By May 22, a third-party cybersecurity firm concluded that the initial breach had been made using valid credentials through the company’s VPN.

The investigation did not establish how those credentials were compromised. Landmark took responsibility for remediation and implemented a comprehensive forensic review to understand the extent of the breach. The security team eventually determined that after changing account passcodes, vulnerabilities had been addressed, and the environment was deemed secure.

However, the situation deteriorated again when, on June 17, 2024, Landmark found evidence that the threat actors had re-entered its system and exfiltrated more data. The forensic team was unable to pinpoint which specific files had been compromised in this second round. The company stated that a significant portion of the data likely did not contain personally identifiable information (PII) and has no concrete evidence suggesting that PII was among the exfiltrated data.

This incident has affected a range of personal and financial data categories, including names, addresses, Social Security numbers, and medical records. Landmark has subsequently reported to state regulators, with the count of impacted individuals increasing to 1.6 million as of April 11, 2025, up from 806,519 in its October 2024 report.

The insurance companies involved, for which Landmark served as a third-party administrator, encompass several notable industry names, highlighting the widespread impact of this security breach. In response to the incident, Landmark has enhanced its security protocols, acquiring new servers, deploying state-of-the-art firewalls, and implementing rigorous access restrictions within its systems. They also mandated multi-factor authentication across all user and administrator logins to bolster protection against future attacks.

Following the breaches, Landmark reported the incidents to law enforcement while emphasizing that communications with affected individuals were not impeded by any ongoing investigations. Moreover, the company has opted to establish a completely new system disconnected from the previous infrastructure to mitigate any further risks. As Landmark faces class action lawsuits alleging negligence regarding data security protections, the cybersecurity landscape remains vigilant against potential threats utilizing tactics such as initial access via valid credentials and privilege escalation methods documented in the MITRE ATT&CK framework.