Aflac Data Breach: Insurance Giant Confirms Personal Data of 22.65 Million Customers Exposed

By : Benny Morgan Benny Morgan Reviewed By: Karla Spencer Karla Spencer
Hours Updated

Key Takeaway: Insurance giant Aflac confirmed that cybercriminals from the Scattered Spider group breached its systems in June 2025, compromising the personal and health data of 22.65 million individuals through sophisticated social engineering tactics.

Aflac Data Breach

How the Attack Unfolded

On June 12, 2025, Aflac’s security team detected suspicious activity on its U.S. network systems and immediately activated emergency response protocols. The attackers gained access through social engineering—manipulating IT support staff into providing credentials or resetting passwords—rather than exploiting technical vulnerabilities. Aflac’s rapid response contained the breach within hours, preventing further data theft and blocking the attackers from deploying ransomware that could have crippled operations. Despite the swift containment, the intruders had already stolen sensitive information, including names, Social Security numbers, dates of birth, health records, government-issued identification, driver’s license details, and claims information.​

Scattered Spider: The Insurance Industry’s New Nemesis

Federal law enforcement and cybersecurity experts have attributed the Aflac breach to Scattered Spider, also known as UNC3944 or Octo Tempest—a loosely organized collective of English-speaking hackers. This group gained notoriety in 2023 for attacking MGM Resorts and has since shifted focus from retail companies to the insurance sector, which holds vastly more valuable personal data. Rather than developing complex malware, Scattered Spider relies on manipulation and impersonation, calling help desks while posing as employees to request password resets or access credentials. This social engineering approach bypasses sophisticated firewalls and multi-factor authentication systems that cannot defend against an attacker granted legitimate access.​

Between June 7 and June 12, 2025, Scattered Spider attacked three major U.S. insurers in rapid succession: Erie Insurance (June 7), Philadelphia Insurance Companies (June 9), and Aflac (June 12). This coordinated campaign reflects the group’s systematic targeting of one industry sector at a time for maximum impact.​

A Broader Industry Crisis

The Aflac breach is not an isolated incident but part of a sustained assault on American financial institutions. Prior to targeting insurance companies, Scattered Spider conducted a major retail campaign in April and May 2025 that breached major UK retailers, including Marks & Spencer (costing an estimated £300 million), the Co-op Group, and Harrods. The group also compromised U.S. retailers, including Victoria’s Secret and United Natural Foods, the primary supplier for Amazon’s Whole Foods.​

Beyond Aflac, Philadelphia Insurance, and Erie, the insurance sector faced additional major breaches in 2025. In July 2025, Allianz Life Insurance experienced a breach affecting 1.4 million U.S. customers when attackers accessed a cloud-based customer relationship management system using social engineering. Insurance companies are particularly high-value targets because they maintain comprehensive databases containing customers’ full names, Social Security numbers, financial information, health records, and policy details—everything needed for identity theft or sophisticated phishing campaigns.​

Investigation Timeline and Disclosure

Aflac discovered the breach on June 12, 2025, but did not fully disclose the scope until December 19, 2025. The six-month gap occurred because the company needed to conduct a comprehensive file-by-file review to determine exactly what data the attackers accessed. Aflac completed its investigation on December 4, 2025, triggering customer notifications, state attorney general filings, and reporting to the U.S. Department of Health and Human Services’ Office for Civil Rights.​

Regulatory Response and Congressional Scrutiny

The scale of the Aflac breach prompted significant regulatory attention. In August 2025, U.S. Senators Bill Cassidy (R-La.) and Maggie Hassan (D-N.H.) demanded answers from Aflac regarding security measures in place before the attack, how the company incorporates cybersecurity best practices from critical infrastructure sectors, federal agency notifications, and preventive measures for future incidents. Multiple class-action lawsuits have been filed against Aflac by plaintiffs alleging the company failed to implement reasonable cybersecurity measures and properly encrypt sensitive data.​

Aflac’s Response and Mitigation Efforts

Following the incident, Aflac engaged third-party cybersecurity experts to assist with the investigation and response. The company secured compromised accounts, reset passwords, and implemented additional monitoring for suspicious activity. To assist affected individuals, Aflac provided 24 months of complimentary credit monitoring and identity theft protection services. The company established a dedicated call center to help affected individuals understand their rights and access resources.​

To date, Aflac reports it is unaware of fraudulent use of stolen information, though the company continues monitoring. However, experts warn that stolen data can be used for identity theft for years after a breach occurs.​

Critical Lessons for the Insurance Industry

The Aflac breach underscores how social engineering remains the weakest link in enterprise security, particularly in industries with large help desks and outsourced IT functions. Even advanced technical security measures cannot fully protect against attackers who convince employees to voluntarily grant access.​

Cybersecurity experts recommend that insurance companies immediately implement zero-trust security principles, conduct regular employee training on social engineering tactics, strengthen identity verification protocols for IT support requests, deploy advanced threat detection systems, and maintain robust incident response plans. The average cost of a data breach in 2025 is estimated at $4.45 million, with large-scale incidents generating millions more in legal settlements.​

Scattered Spider’s Evolution and Future Threat

Scattered Spider has operated since at least May 2022, establishing itself as a significant threat actor through the 2023 MGM Resorts attack. The group’s evolution demonstrates how modern cybercriminals adapt their tactics based on target sector vulnerabilities. After successfully breaching retail companies in early 2025, they identified the insurance sector as an even more lucrative target due to the sensitivity and comprehensive nature of data held by insurers.​

Recent claims by Scattered Spider members that they are ceasing operations appear misleading. Security researchers assess it is unlikely the group has actually stopped criminal activities, with evidence suggesting they are distancing themselves from law enforcement scrutiny while planning future attacks.​

What Affected Customers Should Do

For individuals affected by the Aflac breach, immediate steps include monitoring credit reports for suspicious activity, enrolling in free credit monitoring services provided by the company, changing passwords for all financial accounts, watching for phishing attempts, and remaining vigilant against identity theft for years to come. The sensitive nature of compromised data—including Social Security numbers, health information, and financial details—makes affected individuals particularly vulnerable to sophisticated fraud schemes.​

👉 Other Related Post form securedetectives.com

Looking Ahead

The Aflac breach, combined with parallel attacks on Philadelphia Insurance, Erie Insurance, and Allianz Life, signals an evolving threat landscape where insurance companies face unprecedented vulnerability. Industry investments in robust cybersecurity defenses are now essential, not optional. The convergence of valuable data, vulnerable social engineering attack vectors, and highly motivated cybercriminal groups means that the insurance sector will remain a priority target for years to come.​

Sources: Aflac

Benny Morgan
Benny Morgan

I’m Benny Morgan, a digital security expert with a degree in Computer Science from the University of Texas. My background spans cybersecurity consulting, malware research, and risk analysis. I specialize in translating complex online threats into actionable strategies, ensuring individuals and families stay safe in today’s fast-shifting digital environment.

At SecureDetectives, I leverage firsthand testing and evaluation of privacy tools, VPNs, parental control software, and anti-tracking solutions. My expertise lies in identifying weaknesses in consumer products and recommending solutions backed by evidence, not marketing claims. I aim to provide readers with clarity and confidence in their digital safety choices.

With years of hands-on experience addressing phishing schemes, data breaches, and identity theft, I write to empower readers to take proactive control of their privacy. My goal is simple: equip people with practical, proven tools and knowledge to navigate the digital world securely and responsibly.

Similar Posts