Cyber Incident Victim: Aflac
Date:
Dec 2025
Location:
United States of America
Summary
Aflac disclosed that hackers accessed and exfiltrated personal and health information of approximately 22.6 million individuals during a cyberattack, compromising names, dates of birth, home addresses, government‑issued identification numbers, driver’s license details, Social Security numbers and medical insurance data. The company subsequently initiated notifications to about 22.65 million affected persons. It serves roughly 50 million customers and was among several insurers experiencing similar breaches at the same time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2025Aflac disclosed a data breach in which hackers accessed and stole customers’ personal information, including Social Security numbers and health details, without initially revealing how many individuals were affected. The company later confirmed that it had begun notifying approximately 22.65 million people whose data had been taken during the cyberattack. Aflac filed a notice with the Texas attorney general specifying that the compromised data included names, dates of birth, home addresses, government‑issued identification numbers such as passports, state ID cards and driver’s license numbers, Social Security numbers, and medical and health insurance information. In a separate filing with the Iowa attorney general Aflac stated that the cybercriminals may be affiliated with a known cyber‑criminal organization and that federal law enforcement and third‑party cybersecurity experts had indicated the group might have been targeting the insurance industry broadly. The article also notes that Scattered Spider, an amorphous collective of primarily English‑speaking hackers, was known to be targeting the insurance sector at the time of the breach. The stolen information encompassed names, dates of birth, residential addresses, government‑issued identification numbers (including passports, state ID cards and driver’s license numbers), Social Security numbers, and medical and health insurance information. Aflac reported that it serves roughly 50 million customers according to its corporate website. The breach affected about 22.65 million individuals, representing a significant portion of the company’s customer base. The incident occurred alongside similar data breaches reported at Erie Insurance and Philadelphia Insurance Companies.
In response Aflac initiated notification letters to the affected individuals detailing what data had been accessed. Federal law enforcement and third‑party cybersecurity experts were consulted and indicated that the threat actor might have been targeting the insurance industry. Aflac submitted the required breach notices to the Texas and Iowa attorneys general to satisfy regulatory obligations. When approached for comment by TechCrunch an Aflac spokesperson did not provide a response.