Aflac Breach Exposes Data of 22.65 Million People as Scattered Spider Tactics Hit Insurers

Columbus-based insurance giant Aflac Inc. says a June 2025 cyberattack resulted in the theft of sensitive personal data linked to about 22.65 million people, turning what began as a fast contained intrusion into one of the largest publicly disclosed insurance sector breaches of the year. The company has begun issuing notices to affected individuals, warning that exposed information can include Social Security numbers and health and insurance details, data types that are difficult to change and highly valuable for fraud.

The incident is being viewed through the lens of a wider campaign targeting insurers, with investigators and industry reporting pointing to tactics associated with the Scattered Spider cybercrime group. While attribution in active cases can be complex, security teams across the sector have been on alert for similar playbooks that focus less on exploiting software flaws and more on manipulating people and processes.

What happened and when Aflac detected it

Aflac says it identified suspicious activity on its US network on June 12, 2025. The firm reported that it moved quickly to contain the intrusion within hours and maintained normal operations, including continuing to process claims and underwrite policies. At the time of the initial disclosure in June, the company indicated that files containing personal information may have been accessed and taken, but it had not yet confirmed the full scale.

After months of investigation, Aflac has since concluded that data was exfiltrated and that the number of affected people is far larger than initially understood. The company has started formal notifications and related regulatory reporting, providing more detail on the categories of data involved.

How many people are affected

Aflac’s latest figure is approximately 22.65 million individuals. The company has indicated that the affected population can include customers, beneficiaries, employees, and agents. That mix matters because it expands the potential downstream impact, from consumer identity theft to targeted scams against employees and intermediaries who interact with policyholders.

For insurers, a breach at this scale also creates a long tail of risk. Stolen identity and policy data can be reused months later in claim fraud, account takeovers, and impersonation attempts aimed at call centres and third party administrators.

What data was stolen

Aflac says the stolen information varies by person but can include a wide set of identifying and sensitive records such as names, dates of birth, and home addresses. The company has also indicated that government issued identification numbers may be involved, including driver’s licence details and other ID documents. Critically, Aflac says Social Security numbers were among the data types taken in the incident.

In addition to identity data, Aflac has said that medical and health insurance information may be included in the stolen files. This category can include health related details and insurance information that criminals can exploit for medical identity theft, fraudulent billing, or highly tailored social engineering.

Why Scattered Spider is central to the story

Scattered Spider is often associated with an operator style that relies on social engineering rather than purely technical exploitation, including persuading service desks to reset passwords, enrolling new devices, or bypassing multi factor authentication controls. In sector wide waves, the group has been linked by researchers and incident reporting to attacks where access is gained through stolen credentials and help desk manipulation, then expanded through identity systems and remote access tooling.

In Aflac’s case, public reporting around the incident has pointed to hallmarks consistent with Scattered Spider tradecraft, and the breach has been discussed alongside other insurance related intrusions reported in the same period. Aflac itself has described the attackers as a sophisticated cybercrime group and has framed the incident as part of a broader campaign targeting insurers.

What this means for victims

When Social Security numbers and health insurance data are exposed together, the risk profile goes beyond standard credit fraud. Attackers can use combined identity and policy information to attempt benefits fraud, file false claims, or conduct convincing impersonation attacks against policyholders, employers, brokers, and medical providers.

Victims can also be targeted with follow on scams that reference real details from the stolen data. These scams may arrive as calls, SMS messages, or emails posing as Aflac, an employer benefits team, or a claims representative. The goal is often to extract additional authentication details, payment information, or to push victims into transferring money under urgency.

Aflac’s response and support being offered

Aflac says it has been notifying affected individuals and offering support services intended to reduce harm. In its earlier communications about the June incident, the company said it would provide credit monitoring and identity theft protection for impacted people, along with health focused protections described as Medical Shield. As notifications roll out, victims are being advised to follow the steps outlined in their individual notice, which typically include monitoring financial accounts, placing fraud alerts or credit freezes where appropriate, and being cautious about unexpected contact claiming to be related to claims or benefits.

The company has also said it engaged third party cybersecurity experts to support the investigation and response. Like many large breach responses, the process includes determining exactly which files were accessed, confirming what was taken, and mapping that back to individuals for legally required notifications.

What the breach shows about the insurance sector

Insurers hold some of the most monetisable identity datasets in the economy, combining personal identifiers, financial details, employer information, and health related records. That makes them a persistent target, particularly for groups that specialise in identity driven compromise. The Aflac case underscores a reality many defenders have been highlighting: even when an intrusion is detected and contained quickly, the data theft may already have occurred, and the true scale may only become clear after extensive forensic work.

The incident also adds pressure on insurers to harden their identity layers, especially help desk procedures and third party access paths. A growing body of sector experience suggests that preventing account recovery abuse, tightening device enrolment rules, and improving anti impersonation controls can be just as important as patching systems.

What organisations can learn from this incident

A campaign driven by social engineering thrives on gaps between policy and practice. Organisations in insurance and adjacent sectors should review call centre and IT service desk processes, require stronger verification for password resets, and restrict high risk actions such as MFA resets and device enrolment. Logging and alerting should be tuned to identity events including repeated reset attempts, unusual enrolments, and changes in authentication factors.

Insurers and brokers should also assume criminals will try to weaponise stolen data for convincing pretexting. That means training frontline teams to recognise manipulation, deploying out of band verification for sensitive requests, and ensuring customers have a clear way to confirm whether a communication is legitimate.

What to watch next

The next phase will be shaped by how rapidly affected individuals receive notices, what additional details emerge through regulatory filings, and whether follow on fraud campaigns appear at scale. For the wider market, the breach is likely to intensify scrutiny on identity security controls across insurance operations, particularly where third parties and service desks play a central role in account recovery and access management.