Aflac breach exposes personal and health data of more than 22M people - SiliconANGLE

Aflac breach exposes personal and health data of more than 22M people

Insurance company Aflac Inc. has disclosed that a cyberattack that targeted the company in June resulted in the theft of records relating to 22.65 million individuals, making it one of the largest data breaches reported this year in the U.S. insurance sector.

The company first detected unauthorized access to portions of its U.S. network on June 12, which was followed by a response that included isolating affected systems, hiring external cybersecurity experts and notifying law enforcement. The breach did not involve ransomware and did not disrupt business operations but did involve the theft of files that contained personally identifiable information.

The data stolen related to current and former customers, beneficiaries, employees, agents and other individuals whose information was stored in the compromised systems. The information stolen did vary between individuals but may have included names, dates of birth, contact information, Social Security numbers, health and medical information, claims data and, in some cases, government-issued identification numbers.

Aflac did add that it is not aware of any fraudulent use of personal information and that, along with third-party partners, is continuing to monitor any fraudulent activity.

Though it’s more than six months after the breach, Aflac has begun notifying affected individuals and regulators and is offering complimentary identity protection services, including credit monitoring, identity theft protection and medical fraud monitoring. The services are being provided for up to 24 months, along with access to dedicated support resources.

While Aflac did not attribute the attack to a specific threat actor, cybersecurity researchers and previous reports have linked the breach to the Scattered Spider cybercrime group, which has previously been associated with breaches across the insurance, healthcare and retail sectors.

Also known as “Octo Tempest” and UNC3944, Scattered Spider first became active in early 2022, using extensive social engineering methods to target organizations worldwide and aiming for financial extortion. The group has also previously worked with the better-known ALPHV/BlackCat ransomware-as-a-service operation to extort victims.

Scattered Spider attacks typically target technical administrators using social engineering. The group impersonates victims, often mimicking their speech patterns or pretending to be newly hired employees.

Its main methods for initial access include social engineering calls, purchasing employee credentials on the black market, SMS phishing and initiating SIM swaps, or setting up call forwarding on an employee’s phone. In some cases, it uses intimidation by sending threats to specific individuals.

Tim Rawlins, senior adviser and director of security at consulting firm NCC Group PLC, told SiliconANGLE via email that “we saw cybercriminal group Scattered Spider target multiple insurance companies in the U.S.”

“Their use of voice-based social engineering has been particularly successful, as technical security measures can often be overcome when a member of staff can be persuaded into helping criminals,” explains Rawlins. “While we can’t confirm they are responsible, this does match other similar attacks ascribed to them.”

The breach of Aflac adds to a list of high-profile cyber incidents affecting insurers in 2025, highlighting the sector’s ongoing exposure to attacks involving sensitive personal and health data.

“We have seen a number of very large breaches throughout the year and as firms have started to better secure their backups, they are less frequently paying to have it decrypted,” added Rawlins. “In turn, attackers have increasingly tried to extort money in exchange for not releasing the data they have copied during the attack. We can expect this style of extortion to become the standard as it’s difficult to counter.”

Photo: Wikimedia Commons