Our Daily Breach 2024/10/17
Fidelity rewards customer loyalty by sharing the private identities of 77,000 customers. American Income Life Insurance is being extorted.
I'm going on a limb to say that our readers don't manage their assets with Fidelity, so we're going to skip over how their InfoSec managed to have the identities of 77,000 customers exposed. If that interests you, TechCrunch did a good job covering this with a bonus gesture in their edit notes. The journalistic integrity made me smile.
I think our chances of reaching an audience are better by following up on this extortion attempt on the American Income Life Insurance company, owned by Globe Life, Inc. According to their SEC filing today (2024/10/17):
A threat actor sent the Company PII data of around 5000 customers demanding payment to not disclose this.
Globe Life Inc. (the “Company”) recently received communications from an unknown threat actor seeking to extort money from the Company in exchange for not disclosing certain information held and used by the Company and its independent agents. After becoming aware of this, the Company immediately activated its incident response plan and, with the assistance of experienced counsel and external cybersecurity experts, launched an investigation. The Company has reported this extortion attempt to and is cooperating with federal law enforcement.
Based on the Company’s investigation to date, which remains ongoing, the Company believes that information relayed to the Company by the threat actor may relate to certain customers and customer leads that can be traced to the Company’s subsidiary, American Income Life Insurance Company. This information includes certain personally identifiable information categories such as names, email addresses, phone numbers, postal addresses, and in some instances Social Security numbers, health-related data, and other policy information for approximately 5,000 individuals; however, the total number of potentially impacted persons or the full scope of information possessed by the threat actor has not been fully verified. This information does not appear to contain personally identifiable financial information such as credit card data or banking information. Most recently, the threat actor also shared information about a limited number of individuals to short sellers and plaintiffs’ attorneys. The threat actor claims to possess additional categories of information, which claims remain under investigation and have not been verified.
I'm wondering who the Company pissed off this time because to send your data to a plaintiff takes effort. More effort than you'd expect from opportunistic cybercriminals. Based on these comments and sentiments people have towards the Company, one cannot be surprised if this is the unfolding of a tale of vengeance towards insurance companies as an institution.
