AssuranceAmerica Managing General Agency, LLC — an Atlanta-based non-standard auto insurance MGA — says suspicious activity on its systems may have exposed the personal information of more than 1.1 million people.
Residents in California, Massachusetts, Nebraska, South Carolina, Texas, Vermont, and Washington are being notified after a review of copied data files was completed in mid-June 2026.
What Happened
According to the company’s California Attorney General notice letter:
- March 16, 2026 — Malicious activity targeted one AssuranceAmerica employee (consistent with phishing or social engineering).
- March 17, 2026 — The company detected suspicious activity on part of its IT environment.
- An unauthorized third party accessed AssuranceAmerica systems and copied data files.
- June 15, 2026 — File review completed; notification letters began going out in June 2026.
The nearly three-month gap between detection and completed review reflects the volume of policyholder records aggregated across AssuranceAmerica’s retail agent and broker network — a wider blast radius than a single-carrier breach typically creates.

Data at Risk
Affected files may include names plus one or more of:
- Contact information
- Automobile insurance policy or account information
- Driver and vehicle information
- Claims-related information
- Driver’s license numbers
- Tax ID information
- Social Security numbers
AssuranceAmerica is offering 12 months of complimentary IDX credit monitoring to affected individuals. If you received a notice, enroll through the instructions in your letter and watch for follow-on identity theft and impersonation scams.

Reported Impact by State
State AG filings and breach aggregators have published partial resident counts (figures may overlap reporting channels):
| State | Reported residents affected |
|---|---|
| South Carolina | 611,046 |
| Texas | 500,987 |
| Washington | 8,950 |
| Massachusetts | 3,569 |
| Vermont | 272 |
| California | Filed with CA AG (count not published on list) |
| Nebraska | Filed with NE AG |
Combined published totals exceed 1.1 million when South Carolina and Texas filings are included. AssuranceAmerica also appeared on the California AG breach list published June 17, 2026, with breach dates of March 16–17, 2026.
Why Employee-Targeted Attacks Hit MGAs Hard
Insurance sector losses increasingly start with human-layer compromise, not firewall gaps:
- Coalition’s 2026 Cyber Claims Report found business email compromise and funds transfer fraud together accounted for 58% of cyber incidents in 2025.
- Resilience reported social engineering drove 57% of incurred cyber claims in the first half of 2025.
For an MGA, one compromised employee credential can expose policyholder files shared across many downstream agents — multiplying notification and fraud risk.

Independent Cybersecurity Audit
An EmailMeNow Cybersecurity Audit of AssuranceAmerica’s primary public domains on June 29, 2026 found weak overall posture — especially email identity controls that make post-breach impersonation easier.
| Domain | Overall | Identity & Spoofing | Transport Security | Website Security | Risk Level |
|---|---|---|---|---|---|
| assuranceamerica.com | 34% | 0% | 15% | 45% | Weak |
| aamga.com | 33% | 0% | 15% | 45% | Weak |
Key findings:
- 0% Identity & Spoofing on both domains — no effective DMARC enforcement for spoofed
@assuranceamerica.comor@aamga.commessages that could target agents or policyholders after a breach. - 15% Transport Security — MTA-STS/TLS-RPT gaps leave room for mail-path downgrade risks.
- Email Infrastructure scores higher (Microsoft 365 on the primary domain), but identity and transport weaknesses undermine the value of hosted mail security.
Weak public-domain email controls do not cause a breach by themselves, but they amplify harm when attackers already have policyholder contact data and SSNs.
Audit links:
Recommendations
If you received a notice:
- Enroll in the IDX monitoring offered in your letter using only the official URL printed there — not links from unsolicited email or text.
- Freeze or monitor credit; watch for auto-loan, claims, and tax-related identity fraud.
- Report suspicious messages impersonating AssuranceAmerica or its agents.
For insurance organizations and MGAs:
- Enforce phishing-resistant MFA and help-desk verification for all staff with access to policyholder files.
- Deploy DMARC
p=rejectwith SPF alignment on every customer-facing domain before the next incident. - Segment MGA platforms from agent workstations; log and alert on bulk file exports.
- Test incident notification timelines — 90-day review gaps extend victim exposure.
Related trackers
- California AG breach tracker
- California June roundup
- Texas OAG YTD dashboard
- Financial services tracker
- Breach monitoring guide
- All state AG trackers
Protect your organization and policyholders.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com to evaluate SPF, DKIM, DMARC, MTA-STS, and website hardening.
Contact EmailMeNow IT Consulting for MGA email security assessments, DMARC enforcement, and incident response planning.
Sources: California AG — AssuranceAmerica notice letter (PDF) · Insurance Business — employee-targeted attack · EmailMeNow audit — assuranceamerica.com · EmailMeNow audit — aamga.com