When sophisticated cybercriminals breached Aflac’s systems on June 12, 2025, the attack exposed sensitive customer data including health information, Social Security numbers, and claims records in what security experts identified as part of a coordinated campaign targeting the U.S. insurance industry.
The attackers, employing social engineering tactics, gained unauthorized access to Aflac’s systems without deploying ransomware or demanding payment. Company officials detected the suspicious activity within hours and immediately implemented cyber incident response protocols as they engaged third-party cybersecurity experts, including CrowdStrike, to contain the breach. Similar to the recent WebTPA data breach, the incident required extensive investigation by cybersecurity experts to assess the full scope of the intrusion.
In spite of the intrusion, Aflac’s core operations, claims processing, and customer service functions remained uninterrupted throughout the incident.
The compromised data potentially includes personal information of customers, beneficiaries, employees, and agents from Aflac’s U.S. business operations. Beyond health data and Social Security numbers, the breach may have exposed additional sensitive details, though company officials continue reviewing affected files to determine the exact scope and number of impacted individuals.
The investigation remains in early stages as of June 20, 2025, with the total scale of compromised information still under assessment. It remains unclear how long the unauthorized activity persisted before detection and containment.
Security analysts attributed the attack pattern to Scattered Spider, an English-speaking cybercriminal organization that has recently intensified operations against insurance providers. Google’s cybersecurity teams warned of escalating attacks on insurance companies amid what they characterized as a sector-wide targeting spree, with similar incidents reported among other major insurers throughout June 2025. The same criminal group recently conducted attacks against major retailers, including UNFI, which caused product shortages at Whole Foods stores.
Aflac has established a dedicated call center for customer inquiries and initiated regulatory notification procedures in compliance with breach disclosure requirements. The company will provide affected individuals with free credit monitoring, identity theft protection, and Medical Shield protection services for 24 months.
Officials have notified the Securities and Exchange Commission about the breach and ongoing investigation.
The incident highlights the insurance industry’s emergence as a high-value target for sophisticated threat actors. Legal implications may include potential class action lawsuits and regulatory scrutiny as the company continues coordinating with government regulators as it prioritizes transparency in public communications and customer support measures during the remediation process.
