Insurance giant Globe Life, which provides life and health insurance policies to millions of Americans, says it is being extorted by a hacker that has stolen customers’ sensitive data.
In a regulatory filing with the U.S. Securities and Exchange Commission on Thursday, the Texas-based conglomerate said it has “recently received communications” from an unknown threat actor who is seeking to extort money from the company in exchange for not disclosing data stolen from its systems.
The compromised data, which Globe Life has traced back to its American Income Life Insurance Company subsidiary, includes personally identifiable information, such as customer names, postal addresses, and phone numbers. In “some cases,” the data also includes Social Security numbers, health-related data and other policy information, according to the company’s filing.
Globe Life says that approximately 5,000 individuals are known to be affected by the data breach so far, but concedes that the “total number of potentially impacted persons or the full scope of information possessed by the threat actor has not been fully verified,” suggesting that the number of affected individuals is likely to be far higher. Globe Life says it has more than 17 million policies in force, while AIL has at least two million policyholders at its last public count.
According to Globe Life’s filing, the hacker responsible for the breach “claims to possess additional categories of information, which claims remain under investigation and have not been verified,” but states that the compromised information does not appear to contain financial information such as credit card data or banking information.
The cybersecurity incident appears to be an extortion-only attack, with Globe Life saying the incident did not involve the use of file-encrypting ransomware.
In the case of Globe Life, the organization notes that the threat actor has also shared “information about a limited number of individuals to short sellers and plaintiffs’ attorneys,” likely in a bid to pressure the company into paying its extortion demands.
The hackers’ demands are not yet known, and Globe Life spokesperson Jennifer Haworth declined to answer TechCrunch’s questions.
Globe Life says it has reported the incident to federal law enforcement.
