Binary code displayed on a laptop screen and Guy Fawkes mask are seen in this illustration photo taken in Krakow, Poland on March 1, 2022. Global hacker group Anonymous declared 'cyber war' against Russia. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
Washington D.C. – Insurance giant Aflac confirmed Friday that it had suffered a cybersecurity breach potentially affecting a wide swath of its U.S. customers, as investigators race to assess how deeply attackers penetrated the company’s systems — and what personal information may have been exposed.
The breach, which occurred on June 12 and was reportedly contained within hours, is part of an increasingly brazen wave of cyberattacks targeting American insurance providers. Preliminary findings suggest that cybercriminals used social engineering tactics — manipulating human trust rather than breaching technical defenses — to gain access to Aflac’s internal networks.
In a statement, Aflac said it had “engaged leading third-party cybersecurity experts” and emphasized that the incident did not involve ransomware, nor has it disrupted customer services. Still, the breach could be significant in scope. The company acknowledged that the exposed data may include insurance claims, health records, Social Security numbers, and other personal information tied to customers, employees, and agents. A full accounting of affected individuals remains incomplete.
“We are sharing this in the spirit of transparency and care for our customers,” Aflac said, noting the review is ongoing.
With more than $20 billion in annual revenue and tens of millions of policyholders, Aflac is among the most prominent providers of supplemental health insurance in the U.S. Its role — filling in financial gaps left by primary insurance — has made it a trusted name, and now, a high-profile target.
This attack is the latest in a troubling series. Erie Insurance and Philadelphia Insurance Companies also reported recent breaches, all bearing the hallmarks of the same threat actor: a loosely organized but increasingly notorious cybercrime group known as Scattered Spider. Known for speed and sophistication, the group rose to prominence in 2023 after targeting Las Vegas giants MGM Resorts and Caesars Entertainment, walking away with millions.
Though Aflac did not name the group directly, the method of attack — impersonating trusted IT help desks, luring employees into revealing access credentials — is consistent with Scattered Spider’s signature playbook. Investigators familiar with the breach told CNN that the group is likely responsible.
Cybersecurity experts are sounding the alarm. “They can execute their full attacks in hours. Most other ransomware groups take days,” said Cynthia Kaiser, former FBI cyber division leader and now with the cybersecurity firm Halcyon. “If Scattered Spider is targeting your industry, get help immediately.”
As Aflac scrambles to contain the fallout, the breach highlights the vulnerability of even the most established financial institutions — and the growing danger of cybercrime conducted not by foreign states, but by domestic and transatlantic youth networks with something to prove.
