Breach taxonomy
Summary
In October 2024, Globe Life Inc. received communications from an unknown threat actor seeking extortion money in exchange for not disclosing company information. Investigation confirmed approximately 5,000 individuals had PII obtained (names, email addresses, phone numbers, addresses, dates of birth, SSNs, health-related data, and insurance policy information) from databases maintained by a small number of independent agents; data was distributed to short sellers and plaintiffs' attorneys. Globe Life declined to pay the extortion demand, notified law enforcement, and issued voluntary notifications to approximately 850,000 additional individuals whose data was stored in the same databases. The company sought insurance reimbursement for remediation costs. Disclosed via 8-K/A amendment filed January 30, 2025.
Tagging rationale
ThreatCyber Criminals
Filing states the threat actor sought 'to extort money from the Company' — explicit financial extortion motive -> CYBER-CRIMINALS.
MethodsData Exfil
Threat actor obtained PII from databases maintained by independent agents and distributed the data to third parties; the filing confirms unauthorized data access and exfiltration -> DATA-EXFIL.
AssetsPersonal Data
Filing confirms names, email addresses, phone numbers, postal addresses, dates of birth, SSNs, health-related data, and insurance policy information were obtained for ~5,000 confirmed and ~850,000 potentially affected individuals -> PERSONAL-DATA.
EffectsCyber ExtortionInfo Privacy Loss
Threat actor demanded extortion payment threatening public disclosure of data (CYBER-EXTORTION); PII including SSNs and health data was accessed and distributed to short sellers and plaintiffs' attorneys (INFO-PRIVACY-LOSS).
Business continuityNot Required
Filing confirms 'the extortion attempts did not involve the use of ransomware or result in any interruption to the Company's systems, services, or business operations' -> Not Required.
Impact
PII including SSNs and health data confirmed for 5,000 individuals with voluntary notifications to 850,000 more; extortion demand refused; data distributed to short sellers and attorneys -> score 3.
InsuranceYes
Filing states 'The Company will seek reimbursement of costs, expenses and losses stemming from this matter by submitting claims to its insurers' -> true.
Read the original SEC filing excerpt
Item 8.01 Other Events. As disclosed on October 17, 2024, Globe Life Inc. (the "Company") received communications from an unknown threat actor seeking to extort money from the Company in exchange for not disclosing certain information held and used by the Company and its independent agents. The Company is filing this amendment (this "Amendment") to amend and supplement the Original Form 8-K. As originally disclosed, pursuant to the Company's incident response plan and with the assistance of external cybersecurity experts and legal counsel, the Company verified the threat actor had obtained the personally identifiable information of approximately 5,000 individuals. With the assistance of these external advisors, the Company confirmed that data categories, including names, email addresses, phone numbers, postal addresses, and in some instances dates of birth, Social Security numbers, health-related data and other insurance policy information, were obtained and that certain of this data was distributed to short sellers and plaintiffs' attorneys. The investigation determined the exposure by the threat actor did not include personally identifiable financial information. The Company did not pay the demanded extortion payment and instead notified federal law enforcement and continues to assist law enforcement in the investigation of this activity. The Company has initiated the process to provide notification to, and credit monitoring services for, these individuals. Based on the Company's review, the customer information was traced to specific databases maintained by a small number of independent agency owners. Out of an abundance of caution, the Company has also initiated the process to provide voluntary notifications to, and credit monitoring services for, approximately 850,000 additional individuals whose information was also stored in the relevant databases. The Company has confirmed the extortion attempts did not involve the use of ransomware or result in any interruption to the Company's systems, services, or business operations. The Company will seek reimbursement of costs, expenses and losses stemming from this matter by submitting claims to its insurers.