CNO Financial Group Data Breach (2018)

On October 25, Fortune 1000 company CNO Financial Group, Inc. submitted a report to the Office for Civil Rights’ Breach Portal at the U.S. Department of Health and Human services. The report revealed that the personally identifiable information of 566,127 people was accessed by an unauthorized party through a subsidiary of CNO, Bankers Life.This particular breach was the result of threat actors obtaining the credentials of Bankers Life employees, highlighting a need for enterprises to educate their employees on the threats that lurk in the shadows and the importance of proper security hygiene.In an Oct. 25 statement, Bankers Life says it learned about the incident on August 7. An investigation by an external forensics firm revealed that unauthorized third parties accessed credentials of "a limited number" of Bankers Life employees between May 30 and September 13, according to the statement. "During this period, unauthorized third parties used improperly obtained employee information to gain access to certain company websites, potentially resulting in unauthorized access to personal information of policyholders and applicants," the insurer says. "Based on the investigation, the company has no reason to believe that its systems or network have been otherwise compromised." The company says it took steps to further restrict and monitor access to systems and enhance its security procedures. "Federal law enforcement informed Bankers Life that disclosure of the incident could interfere with or impede its investigation," the insurer says. "Once this concern was removed, the company promptly notified consumers and regulators as required by law and additional individuals whose information may have been accessed." Personal information that may have been inappropriately accessed includes names, addresses, dates of birth, insurance information - such as application or policy number, types of insurance, premiums, dates of service and claim amounts - and the last four digits of Social Security numbers, the statement says. "Except for a limited group of individuals, the investigation has not identified any unauthorized access to full Social Security numbers, driver's license or state identification card numbers, bank account numbers, or medications, diagnosis or treatment plan information. In addition, based on the investigation, no credit or debit card information was accessed," the statement notes. Nevertheless, the company says it's offering free identity repair and credit monitoring services to individuals affected. Bankers Life is the marketing brand of Bankers Life and Casualty Co., Medicare supplement insurance policies sold by Colonial Penn Life Insurance Co. and select policies sold in New York by Bankers Conseco Life Insurance Co., the statement adds.