Back to Blog
high severity June 22, 2026 · scope unconfirmed

NationsBuilders Insurance Services Listed by aurora Ransomware Group

[insurance] *** (NBIS) is the premier US underwriter of crane & rigging, concrete-pumping, heavy-haul, and residential-builder insurance — a specialty managing general underwriter founded in Atlanta in 2001, acquired by Align Financial / DUAL North America (Howden Group) in August 2021. 2,748,845 filetree entries across 24 shares (AIM, IMAGERIGHT, the claims and policy-admin stores, HR, finance, IT, and a decade of M&A diligence rooms).

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed June 22, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On June 22, 2026, NationsBuilders Insurance Services appeared on the leak site of the Aurora ransomware group. The incident involves the exfiltration of internal files from an insurance company that underwrites specialized coverage for crane and rigging operations, concrete pumping, heavy-haul transport, and residential builders. Public reporting indicates that anyone whose insurance records, claims, employment files, or financial data passed through NBIS may have had information exposed.

Confirmed Details of the Breach

Available reporting describes 2,748,845 filetree entries taken from 24 separate network shares. These included systems named AIM, IMAGERIGHT, claims and policy administration stores, HR, finance, IT, and multiple diligence rooms spanning a decade of merger and acquisition activity. The data consists of internal files exfiltrated during a ransomware attack; the exact number of individuals affected remains unknown. The leak site posting on June 22, 2026, confirms that the files are now publicly listed for anyone who accesses the group’s onion address.

Why This Matters for You and Your Family

If you hold an insurance policy underwritten by NBIS, work in construction, heavy equipment operation, or residential building, or have ever been involved in a claim handled by the company, your personal information could be inside the stolen files. The same applies to family members listed on policies, employees whose HR records were stored on the network, or anyone whose financial or medical details appear in a decade’s worth of M&A diligence materials. Once this volume of structured insurance data reaches criminal forums, it can be used for identity theft, fraudulent claims, or targeted scams that feel personal because the attackers already know details about your home, vehicles, or business.

The Doxxing and Identity-Chain Risks

Insurance records frequently contain names, addresses, dates of birth, Social Security numbers, policy numbers, and contact information for multiple household members. These details serve as anchor points that link disparate online handles, email addresses, and phone numbers into a single identity profile. Credential leaks like this one often cascade into account takeovers on personal email, banking, or gaming platforms. Public reporting indicates that children’s gaming accounts are especially vulnerable because parents frequently reuse passwords or security questions derived from family insurance or employment records. The result is a doxxing chain that can expose your home address, children’s names and ages, and daily routines to harassers or identity thieves.

Aurora Ransomware Group’s Known Track Record

Public reporting attributes the attack to the Aurora ransomware group. The group emerged in late 2024 and has targeted organizations across multiple sectors with a consistent playbook: gain initial access, exfiltrate data before encryption, and then extort victims by threatening to publish sensitive files on their leak site. Notable prior victims include other insurance and financial services firms as well as healthcare providers. Their extortion style typically involves publishing samples of stolen data and setting short deadlines for payment before releasing full archives. Readers can follow independent trackers for ongoing Aurora activity.

What to do

  • Run a DoxxScan to map every link between your emails, phone numbers, handles, and real identity so you can see exactly what this NBIS leak connects to.
  • Rotate every password you used at NationsBuilders Insurance Services or any related vendor, then enable 2FA through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your data is caught in hours instead of months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts, which often chain back to the same leaked addresses and records.
  • Let remediation specialists handle takedown requests across data brokers and exposed repositories while you focus on securing your own accounts.

The incident underscores that insurance data breaches now move faster than most people can react on their own. A single leak like this can quietly feed multiple identity theft schemes for years. DoxxScan by GalaxyWarden offers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping that connects scattered handles to real people, and hands-on remediation by specialists who manage takedowns for you and your entire household, including children’s gaming accounts. Starting early limits how far attackers can travel down the chain that begins with this week’s posting.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.