Although Hub International Limited is not as well-known as some other businesses, it has gained notoriety among the approximately 500,000 individuals whose personal information was compromised in a cyberattack that occurred between December 2022 and January 2023. One of the biggest insurance brokerage operations in North America, Hub is the type of company that quietly operates in the background of people’s personal and professional lives, handling insurance arrangements for individuals, carriers, and employers across a variety of coverage types. A remarkably extensive collection of personal data, including full names, Social Security numbers, driver’s licenses, passport numbers, financial account information, health insurance records, and medical information, was stored somewhere in its systems. Cybercriminals entered in late 2022, copied what they discovered, and departed.
It took several months for the breach to be made public. The first lawsuits were filed by August 2023. Ellis v. Hub International Limited, which was filed in Chicago’s federal courthouse in the Northern District of Illinois and assigned to Judge John Tharp, was ultimately the result of the consolidation of four distinct class actions. The lead plaintiff, Shannan Ellis, was joined by three others — Rich Freiberg, Christopher Roy, and Stephen Ries — representing a class estimated at 514,477 individuals, a mix of Hub’s current and former employees, clients whose insurance Hub managed, and people connected to the carriers and employers Hub serves.
Amended complaints, motions to consolidate, discovery disputes, confidentiality orders, and regular status reports informing the court of the status of settlement talks were all commonplace in federal litigation. The parties conducted discovery and looked into mediation at the same time for the majority of 2024. The court decided to put the case on hold in August 2024 while settlement negotiations took place. The parties had reached a conceptual agreement by January 2025. The preliminary approval came in April 2025, and the final approval hearing was held via WebEx conference on January 14, 2026.
The settlement fund was set at $4.65 million — a non-reversionary structure, meaning Hub doesn’t get money back if the fund isn’t fully claimed, which is a meaningful distinction. There were two main choices for claimants. Up to $5,000 could be awarded to those who could prove out-of-pocket losses related to the breach, such as expenses for credit monitoring, identity theft remediation, fraudulent charges, and problems with financial accounts. An alternative cash payment, initially estimated at $150, was available to those without documentation. Additionally, the settlement offers identity theft protection services and credit monitoring.
The Broker Who Lost Your Data: Inside the Ellis vs Hub International Limited Settlement
| Case Name | Ellis v. Hub International Limited |
|---|---|
| Case Number | 1:23-cv-06137 |
| Court | U.S. District Court, Northern District of Illinois |
| Judge | Honorable John Joseph Tharp Jr. |
| Magistrate Judge | Honorable Heather K. McShain |
| Lead Plaintiff | Shannan Ellis |
| Additional Plaintiffs | Rich Freiberg, Christopher Roy, Stephen Ries |
| Defendant | Hub International Limited |
| About Hub International | One of the largest insurance brokerage firms in North America; provides insurance products across health, property, casualty, and specialty lines |
| Data Breach Dates | December 2022 – January 2023 |
| Nature of Breach | Cybercriminals gained unauthorized access to Hub systems and copied stored files |
| Data Compromised | Full names, Social Security numbers, driver’s licence numbers, passport numbers, financial account information, health insurance information, medical information |
| Individuals Affected | Approximately 514,477 (current/former employees, insurance clients, carrier contacts) |
| Original Lawsuits Filed | 4 separate lawsuits, consolidated September 27, 2023 |
| Complaint Originally Filed | August 25, 2023 |
| Settlement Amount | $4,650,000 (non-reversionary fund) |
| Settlement in Principle Reached | January 2025 |
| Preliminary Approval Granted | April 23, 2025 |
| Final Approval Hearing | January 14, 2026 |
| Original Alternative Cash Payment | $150 (subject to pro-rata adjustment) |
| Actual Payout (Pro-Rated) | Approximately $45.40 (due to high claim volume) |
| Maximum Documented Loss Claim | Up to $5,000 per claimant |
| Lost Time Compensation | Up to 3 hours at $20/hour |
| Additional Benefits | Credit monitoring and identity theft protection services |
| Settlement Website | hubdatasettlement.com |
The $150 alternative cash payment was not made. It cost about $45.40. As is frequently the case in data breach class actions, where the settlement is sized based on projections that don’t always account for actual participation levels, the pro-rata adjustment occurred because more people filed claims than the fund could fully accommodate at the advertised rate. For claimants who filed expecting $150 and received less than a third of that amount, it’s a confusing experience. Anyone who follows this field closely won’t be surprised by the math, but it serves as a frustrating reminder of how far individual compensation typically deviates from the stated maximums.
The number of people who had actually forgotten they had filed a claim at all is what’s noteworthy about the Reddit discussion that surfaced after payments were made. The lawsuit was filed in 2023, the breach occurred in late 2022, the settlement process lasted until 2025, and payments arrived in early 2026. The time between the breach and the payout is more than three years. Individuals who received $45.40 in their Venmo accounts had to look up what it was used for. One recipient mentioned that their only connection was that they had interned at Hub years prior. Another mentioned, somewhat resentfully, that they were still employed by Hub International and that their employer had paid them a settlement for failing to protect their data.
That last scenario is especially uncomfortable. By its very nature, insurance brokerage requires the kind of detailed personal information that other industries don’t usually have, such as financial accounts, health coverage details, and information that sits at the intersection of employment, health, and finances all at once. Because the business relationship demanded it, Hub’s clients and staff trusted the firm with some of their most private information. The breach occurred because Hub held the information on their behalf and its systems weren’t sufficiently secured, not because people willingly gave it away.
From the public record, it is still unclear how exactly hackers gained access to Hub’s systems and what particular security flaws allowed the intrusion to remain undetected long enough for files to be copied and deleted. In the settlement, Hub did not acknowledge any liability. As is usually the case, the company paid to put an end to the litigation without a formal finding of wrongdoing. That solution might or might not feel like accountability to the 514,477 people who are currently keeping an eye on their credit and making $45 payments into their bank accounts. It usually feels like something in between when you watch these settlements pay out.
