Paging the Federal Trade Commission to Aisle 5….
The Federal Trade Commission has repeatedly emphasized the importance of having a mechanism in place to receive data security alerts or concerns.
American Income Life Insurance (“AILife”), headquartered in Waco, Texas, does not provide such information on its home page or anywhere else on the site that I could find. So I called their 800-number.
If you call their 800-number, none of the four options on the menu apply to data security. I decided to pick the “sales” option and then went through more options. I finally reached a person, who then politely put me on hold for several minutes before transferring me to another person, who in turn transferred me to yet another person.
By now, I had no idea who I was talking to or what department they were with, but once again, I repeated that I was a journalist just calling to alert them to a data breach involving 150,000 customers that they may not be aware of.
Instead of taking my phone number and any information or connecting me promptly to the right person, the employee told me to call another phone number for media. I declined and repeated that I was not asking them anything, but was just calling to alert them to a security incident. I told them to just take my phone number and have their IT or security person call me.
The employee repeated that I should call another number for the media.
It had been nine minutes since I first called them to try to help them, and I wasn’t willing to spend more of my time calling yet another number because of their security failures. I hung up.
The FTC should fine companies like American Income Life Insurance, which put people through hoops when they try to alert them to a data security issue.
Since AILife may not be aware of this breach or leak, and 150,000 consumers are affected, I’ll report it here.
The Data Leak
A table containing data on 150,000 AILife customers, former customers, or applicants was leaked on the internet, where anyone can download it for free. The data appears to relate to life insurance policies, and the types of personal and policy information include:
id: Unique record ID.
name: Policyholder’s name.
writing_number: Policy writing number.
npn: National Producer Number.
phone: Policyholder’s phone number.
email: Policyholder’s email.
insured_name: Insured’s name.
insured_address: Insured’s address.
insured_phone: Insured’s phone number.
insured_email: Insured’s email.
insured_dob: Insured’s date of birth.
insured_death_benefit: Insured’s death benefit.
insured_gender: Insured’s gender.
policy_status: Current policy status.
effective_date: Policy effective date.
product_name: Product name.
policy_number: Unique policy number.
annualized_premium: Annual premium
carrier: Insurance carrier.
book_of_business: Book of business.
organization_id: Organization ID
organization_user_id: Organization user ID.
organization_carrier_id: Organization carrier ID.
organization_user: Associated organization user.
The policy’s effective dates span from 2013 to the end of March in 2023.
DataBreaches spot-checked some of the entries and, using Google, found that names and addresses corresponded to what could be found in a search, although phone numbers might not be up to date.
New Breach or Old?
Does AILife know about any breach involving this table? In October 2024, its parent company, Globe Life, disclosed a breach that reportedly affected 5,000 AILife customers. As Security Week subsequently reported in February 2025, Globe Life eventually decided to notify 850,000 customers, as it explained in a January 2025 SEC filing:
As originally disclosed, pursuant to the Company’s incident response plan and with the assistance of external cybersecurity experts and legal counsel, the Company verified the threat actor had obtained the personally identifiable information of approximately 5,000 individuals. With the assistance of these external advisors, the Company confirmed that data categories, including names, email addresses, phone numbers, postal addresses, and in some instances dates of birth, Social Security numbers, health-related data and other insurance policy information, were obtained and that certain of this data was distributed to short sellers and plaintiffs’ attorneys. The investigation determined the exposure by the threat actor did not include personally identifiable financial information. The Company did not pay the demanded extortion payment and instead notified federal law enforcement and continues to assist law enforcement in the investigation of this activity. The Company has initiated the process to provide notification to, and credit monitoring services for, these individuals.
Based on the Company’s review, the customer information was traced to specific databases maintained by a small number of independent agency owners. The Company was not able to confirm if the threat actor acquired information from these databases at the targeted agencies beyond that relating to the approximately 5,000 individuals. Out of an abundance of caution, the Company has also initiated the process to provide voluntary notifications to, and credit monitoring services for, approximately 850,000 additional individuals whose information was also stored in the relevant databases, even though the Company has not been able to confirm if the threat actor acquired these additional individuals’ data.
The Company has confirmed the extortion attempts did not involve the use of ransomware or result in any interruption to the Company’s systems, services, or business operations. The Company continues to communicate with regulatory authorities and law enforcement. The Company will seek reimbursement of costs, expenses and losses stemming from this matter by submitting claims to its insurers. The timing and amount of any such reimbursements is not known at this time. As of the date of this filing, the Company believes this incident has not materially impacted its operations and does not expect this incident is reasonably likely to have a material impact on the Company, including its financial condition or results of operations.
Were the data in this new leak part of a September 2024 data leak, or are these data from a new incident? Given that the most recent “effective date” was March of 2023, it’s not clear. But the person dumping the data claims:
unique new fresh from ailife.com u can get their ssn by logging into their account too
The person posting the data did not report whether they had actually tried — and succeeded at — logging into accounts using just the information in the table. There are no passwords in the leaked data; however, an inspection of AILife’s login screen suggests that it could be possible for someone to register an e-service account using four of the elements in the table. Once they register, they will be able to access any policy and associated information.
As a matter of policy, DataBreaches did not attempt to log in to any customer accounts or register for any new e-Service accounts.
What Should You Do?
If you are a customer, former customer, or applied for a life insurance policy with AILife between 2013 and March 2023, you may want to call them to ask if your data is included in this recent dump of 150,000 customers’ data on the internet. You may also want to ask them if this is a new breach.
What this and other companies should do is publishing a security.txt file within $ROOT/.well-known/ directory, compliant with RFC 9116, cf. https://securitytxt.org/
I am making an exception to the no-links in comments policy for this one. 🙂