In a major cybersecurity incident disclosed this week, Aflac Incorporated, the iconic U.S. supplemental insurance provider famous for its quacking duck mascot, revealed that hackers stole personal and health-related data belonging to approximately 22.65 million individuals. This makes it one of the largest data breaches reported in the U.S. insurance sector in 2025.
The breach originated in June 2025 but was only fully quantified and publicly detailed in mid-December, after a months-long forensic investigation. Aflac, headquartered in Columbus, Georgia, and serving over 50 million customers worldwide, emphasized that the attack did not disrupt its operations and involved no ransomware deployment.
Timeline of the Incident
- June 12, 2025: Aflac detected suspicious activity on a limited portion of its U.S. network. The company immediately activated its incident response protocols, engaged third-party cybersecurity experts, and notified federal law enforcement. The unauthorized access was contained within hours.
- June 20, 2025: Aflac publicly disclosed the incident via a press release and SEC filing, warning that personal information may have been accessed but without specifying the scope or number affected.
- December 4, 2025: After reviewing potentially impacted files, Aflac confirmed that sensitive personal information was involved, triggering mandatory notification requirements.
- December 19, 2025: The company issued an updated statement on its newsroom site, announcing the completion of the file review and revealing the breach affected personal information of approximately 22.65 million people.
- Late December 2025: Aflac began sending formal breach notification letters to affected individuals and filing reports with state attorneys general (e.g., Iowa and Texas). As of Christmas Day 2025, notifications are ongoing.
What Data Was Compromised?
The stolen files contained varying combinations of sensitive information, though not every data type was present for every individual. According to Aflac’s official statements and regulatory filings:
- Names
- Contact information (addresses, phone numbers, emails)
- Dates of birth
- Social Security numbers
- Government-issued identification numbers (e.g., driver’s licenses)
- Health and medical information
- Insurance claims details
This mix of personally identifiable information (PII) and protected health information (PHI) raises significant risks for identity theft, medical fraud, and financial scams.
To date, Aflac reports no evidence of fraudulent use of the stolen data, and the company is actively monitoring for any misuse in collaboration with partners.
Suspected Culprit: Scattered Spider
While Aflac has not officially named the attackers, multiple cybersecurity researchers and reports strongly link the incident to Scattered Spider (also known as UNC3944, Octo Tempest, or scattered English-speaking hackers).
This loosely affiliated group, primarily composed of young cybercriminals from the U.S. and U.K., is notorious for:
- Sophisticated social engineering tactics, such as impersonating IT support staff to trick employees into granting access.
- Targeting specific industries in waves (previously casinos like MGM Resorts, retailers, and now insurance).
- Data theft without ransomware, focusing on extortion or selling stolen information.
The Aflac breach occurred amid a broader campaign against the U.S. insurance sector in June 2025, with similar attacks reported at:
- Erie Insurance
- Philadelphia Insurance Companies
- Other firms like Allianz Life and Scania Financial Services
In a filing with the Iowa Attorney General, Aflac noted that the attackers “may be affiliated with a known cyber-criminal organization” targeting the insurance industry, aligning with expert assessments of Scattered Spider’s activities.
Aflac’s Response and Support for Victims
Aflac acted proactively from the start:
- Immediately secured potentially impacted accounts and reset passwords.
- Offered 24 months of free identity protection services early on, without waiting for full investigation results.
- Services include:
- Credit monitoring
- Identity theft protection
- Medical fraud monitoring (via CyEx Medical Shield)
- Dedicated support line for inquiries
Affected individuals are encouraged to enroll in these services, monitor their credit reports, and watch for signs of identity theft. Aflac has set up resources on its website (aflac.com) for updates and assistance.
The company has also enhanced its cybersecurity measures, though specific details have not been disclosed.
Broader Implications
This breach underscores the vulnerability of the insurance industry, which holds vast troves of sensitive personal and health data. With 22.65 million impacted—roughly 45% of Aflac’s U.S. customer base—it ranks among the year’s most significant incidents.
Experts warn that stolen health and claims data can be particularly valuable on the dark web, enabling targeted scams like fake medical bills or insurance fraud.
If you believe you may be affected (e.g., current or former Aflac policyholder, beneficiary, employee, or agent), visit Aflac’s official site or contact their dedicated support line for confirmation and enrollment in protective services.