A data breach at Bankers Life might have compromised the personally identifiable information of over half a million people.
On 25 October 2018, Fortune 1000 company CNO Financial Group, Inc. submitted a report to the Office for Civil Rights’ Breach Portal at the U.S. Department of Health and Human Services. The report revealed an instance of unauthorized access/disclosure involving one of the subsidiaries of CNO that provide insurance products and services to U.S. customers. It also specified that the security incident had potentially affected 566,217 people.
DataBreaches.net traced the event to Bankers Life after discovering a breach announcement made by the CNO subsidiary. Here’s what the company told customers about the data security issue:
We recently discovered that unauthorized third parties accessed credentials belonging to a limited number of our employees between May 30 and September 13, 2018. During this period, unauthorized third parties used improperly obtained employee information to gain access to certain company websites, potentially resulting in unauthorized access to personal information of policyholders and applicants.
It’s unclear from the announcement how the actors responsible for the incident obtained those employees’ credentials in the first place.
After learning of the suspicious activity on 7 August, Bankers Life explained in its statement that it notified federal law enforcement and hired an external forensics investigator. This expert helped determine that the incident might have compromised affected users’ names, addresses, dates of birth, insurance information and the last four digits of their Social Security Number. The investigation also found that attackers might have exposed more sensitive pieces of information including full Social Security Numbers and banking information for a minority of victims.
Bankers Life said it contacted all possible victims of the data breach and offered free credit monitoring and identity protection services to all affected individuals. It also urged affected individuals to monitor their account statements for suspicious activity.
News of this security incident comes just a few days after HSBC Bank sent a letter to an undisclosed number of customers informing them of a data breach that might have exposed their personal information.