Yes — CNO Services, LLC disclosed a data security incident reported to the Texas Attorney General on July 3, 2026, covering 530 Texas residents. This incident is part of our Texas OAG July 3, 2026 breach roundup.
CNO Services is the shared-services subsidiary of CNO Financial Group, Inc. (NYSE: CNO) — parent of Bankers Life, Colonial Penn, and Washington National. According to Almeida Law Group’s breach summary, the incident began with a vishing (voice phishing) attack on May 15, 2026, when a caller impersonated the internal IT service desk and gained limited access to employment-related systems.
Texas OAG records list exposed data as names, Social Security numbers, and dates of birth. Consumer notification was provided by U.S. Mail. CNO states its investigation found no evidence that customer policyholder data was accessed — employee and associate records were the focus.
We scanned cnoinc.com and bankerslife.com to assess email and domain security posture relevant to post-breach impersonation risk.
What Happened
According to Almeida Law Group and Texas OAG records:
- May 15, 2026 — Vishing attack impersonating CNO IT service desk; limited unauthorized system access.
- June 12, 2026 — Consumer/employee notification letters began (per Maine AG and company notices).
- July 3, 2026 — Texas OAG breach report published (530 Texans).
Breach Impact at a Glance
| Field | Detail |
|---|---|
| Entity | CNO Services, LLC (CNO Financial Group) |
| Sector | Insurance / financial services |
| Texans affected | 530 |
| Attack vector | Vishing — fake IT helpdesk call |
| Data types (OAG) | Names; SSNs; dates of birth |
| Customer data | Company says not accessed |
| Identity monitoring | IDX (12 months) offered |

Data at Risk
Because SSNs and dates of birth were involved, affected associates face elevated identity theft and W-2 fraud risk — even when customer insurance files were not accessed.
CNO Financial Group has prior breach history: the 2018 Bankers Life incident affected hundreds of thousands of individuals nationwide — making post-incident impersonation targeting @bankerslife.com and @cnoinc.com especially credible.
Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit on July 7, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| cnoinc.com | 42% | 20% | 15% | 45% | Below Average |
| bankerslife.com | 44% | 25% | 15% | 45% | Below Average |
Key findings:
- 42–44% overall (Below Average) — well below the 100% ideal for an insurance group handling associate SSNs and operating consumer-facing brands.
- 20–25% Identity & Spoofing — weak DMARC enforcement on both domains; spoofed IT-helpdesk or IDX enrollment phishing may reach employees and retirees.
- 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT on either mail path.
- 100% Email Infrastructure on primary domains — hosted Microsoft 365 does not offset identity gaps.

A vishing breach starts on the phone, but weak email identity controls amplify follow-on fake IDX enrollment and fake HR phishing after SSNs are exposed.
Audit links:
Priority Actions
If you received a CNO Services notice:
- Enroll in IDX monitoring only through instructions in your letter.
- Verify any follow-up IT or HR calls by calling back through official corporate numbers — not numbers left in voicemail.
For insurance and financial services firms:
- Train staff on vishing — IT will never rush MFA resets by phone.
- Deploy DMARC
p=rejecton every consumer and associate-facing domain. - Add MTA-STS
mode=enforceand help-desk callback verification procedures.
Related Trackers
- Texas OAG July 3 roundup
- Texas OAG YTD dashboard
- Financial services tracker
- FBI vishing alerts
- All state AG trackers
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement and vishing-resistant help-desk procedures.
Sources: Texas OAG — Data Security Breach Reports · Almeida Law Group — CNO Services breach · EmailMeNow audit — cnoinc.com · EmailMeNow audit — bankerslife.com