Threat Actor Claims Sale of Globe Life Customer Database on Cybercrime Forum

A threat actor has reportedly claimed to be in possession of a confidential database of customers of Globe Life Insurance. They offered the alleged database for sale on a cybercrime marketplace.

Currently, there is no proof available as to whether or not the seller actually holds the database they’re advertising. No independent analysts have verified the database. However, these claims are interesting enough because they are similar to leaked data in an earlier Globe Life breach.

The broad range of personal and insurance-related information allegedly included in the database would be highly valuable to criminals.

Seller Claims Database Contains Extensive Personal Information

Based on the screen grabs of the sale listing, the threat actor states that the database has a large amount of personally identifiable information (PII) associated with Globe Life customers.

As seen from the sample schema provided on the sale page, the records might contain such information as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license information, employment information, and marital status.

The seller also claims the database contains insurance-related information. This includes beneficiary details, policy types, policy numbers, coverage amounts, premium values, policy status information, payment history, and banking details.

No record count was provided in the listing. Thus, it became virtually impossible to estimate the size of the dataset. In addition, the actor didn’t present sufficient proof for independent verification. Therefore, one should treat the claims with some caution until more proofs appear.

Listing Appears After Globe Life’s Previously Disclosed Breach

The alleged sale comes less than two years after Globe Life publicly disclosed a significant cybersecurity incident involving customer information.

In June 2024, the company reported that an unknown threat actor was attempting to extort Globe Life using stolen customer data. The information was linked to customers and leads associated with American Income Life Insurance Company, a Globe Life subsidiary.

At first, the firm claimed the leaked personal records included the following categories of information: names, locations (including street name and number), telephone numbers, e-mail addresses, SSNs (in certain instances), policy-related data, and health-related information. About five thousand individuals initially fell within the initial statement’s definition of affected persons.

Later, the number of individuals affected subsequently increased substantially.  According to the disclosure made later, investigators found out that the number of individuals whose information leaked rose to 850,000.

The company said the records had connections to databases maintained by independent insurance agency owners associated with its business. The revised figures transformed the incident from a relatively limited breach into one of the larger insurance-sector data exposures disclosed during that period.

Some Claims Go Beyond Publicly Confirmed Information

While there is overlap between the data categories in the current sale listing and information Globe Life previously acknowledged, some of the seller’s claims go beyond the publicly confirmed records.

For example, Globe Life’s earlier disclosures acknowledged exposure of customer information, policy data, and certain health-related records. However, the company previously stated that investigators had not verified all threat actor claims and indicated that financial account information did not appear to be part of the known compromise.

The latest listing, by contrast, claims the database contains banking information and detailed payment records. Since there’s no full access to the dataset, it is impossible to validate the veracity of these claims.

The criminals usually inflate the quantity or price of the stolen data to allure prospective buyers. But there are cases when actual data breached from companies appears for sale on underground forums. Both possibilities remain on the table in this case.

Why Insurance Data is Valuable to Criminals

Insurance records are often especially valuable because they can contain information from several parts of a person’s life in a single file. A record that combines identity details, policy information, beneficiary information, and financial data can be useful for multiple forms of fraud.

The value of such data has made insurance companies a top target. Shlomo Insurance in Israel recently suffered a cyberattack that exposed sensitive customer and policy information.”

Criminals can exploit this data to carry out identity theft, account takeover, and even insurance fraud. It can also enable them to carry out synthetic identity fraud, apply for loans in victims’ names, do tax fraud, as well as spear phishing.

The presence of beneficiary data will provide criminals with an opportunity to conduct social engineering attacks against the families of policyholders or any other persons related to the clients of Globe Life.

Because insurance companies often collect large amounts of personal information during the underwriting and claims process, breaches involving insurance records can have long-term consequences for affected individuals.

Authenticity Remains Unconfirmed

At this stage, there is no independent confirmation that the advertised Globe Life database is genuine or that it contains the information described by the seller. However, even without verification, this posting will likely draw the interest of researchers since it appears after an actual data breach case that Globe Life already admitted.

Until further evidence surfaces, the hacker’s alleged database is nothing but a baseless rumor. Still, people should stay careful as the fallout could be massive if the allegation turns out to be authentic.