Cyber Incident Victim: Aflac Incorporated

On June 12, 2025, Aflac Incorporated detected unauthorized access to its network and promptly initiated its cybersecurity incident response protocols, believing that the intrusion had been contained within hours; the company stated that its business remained operational and that no file‑encrypting ransomware had been deployed. Aflac engaged leading third‑party cybersecurity experts to support the response and began a review of potentially impacted files, noting at that time that the review was in its early stages and that it could not yet determine the total number of individuals whose information might have been accessed. The potentially impacted files were described as containing claims information, health information, Social Security numbers and other personal data relating to customers, beneficiaries, employees, agents and other individuals associated with Aflac’s U.S. operations. The company indicated that it anticipated notifying regulators and providing appropriate notifications to affected individuals, and that it would offer free credit monitoring and identity‑theft protection services as part of its response.

By June 20, 2025, Aflac publicly disclosed the cyber intrusion, reporting that it had identified suspicious activity on its network on June 12 and attributing the incident to a sophisticated cybercrime group; the company said it had immediately contained the attack and continued to work with third‑party experts on incident response. Aflac emphasized that its operations were not affected and that no ransomware had been used, and it noted that, just before Christmas, it had completed its investigation into the potentially compromised data and had begun notifying the individuals whose information was involved. Based on the review of potentially impacted files, Aflac determined that personal information associated with approximately 22.65 million individuals had been involved, specifying that the compromised data included names, addresses, Social Security numbers, dates of birth, driver’s license numbers, government identification numbers, medical and health insurance information and other personal details. The company stated that the review had identified personal information pertaining to customers, beneficiaries, employees, agents and other individuals related to Aflac, and that it was providing the affected individuals with 24 months of free credit monitoring, identity‑theft protection and medical fraud protection services. Aflac also said that, to date, it was not aware of any fraudulent use of the stolen information but urged recipients to remain vigilant against identity‑theft and fraud attempts.

The December 30, 2025 update from Aflac reiterated that the breach had compromised Social Security numbers and health insurance information for 22.65 million people, noting that files containing personal data related to customers, beneficiaries and employees may have included contact information, claims, health information and Social Security numbers. Aflac reported that it had addressed the breach within hours of detection and had begun notifying customers soon after, making available on its homepage a link to a PDF document detailing the assistance being offered, which included 24 free months of CyEx cybersecurity services encompassing credit monitoring, medical information protection services and identity‑theft monitoring. In a press release accompanying the update, the company downplayed the effects of the breach, stating that to date it was not aware of any fraudulent use of personal information and that, together with third‑party partners, it would continue to monitor for any fraudulent activity. A representative for Aflac told CNET that the company had no further comment beyond what had been posted on its website.

Throughout the incident, Aflac maintained that its systems remained operational and that it could continue to underwrite policies, review claims and service customers as usual, a point reiterated in both the June 12 SEC Form 8‑K filing and the June 12 cybersecurity‑industry article. The company described the intrusion as part of a larger crime wave targeting the insurance industry that researchers have linked to a collective known as Scattered Spider, noting that the group had previously conducted weeks‑long attack campaigns against retailers in the United States and the United Kingdom. Aflac’s disclosure referenced warnings from Google’s Threat Intelligence Group that the same hackers who had targeted the retail sector had pivoted toward the insurance industry, with Google observing that the activity showed the hallmarks of Scattered Spider although it had not formally attributed the attacks to that group. The article also mentioned that other insurers, such as Erie Insurance Group, had disclosed related cyber intrusions around the same timeframe, with Erie reporting that it had regained control over its systems and found no further evidence of malicious activity while working with third‑party forensic experts.

Aflac’s response included notifying regulators, sending breach letters to affected individuals and offering the aforementioned credit‑monitoring and identity‑theft protection services, and the company indicated that it would continue to monitor for fraudulent activity in cooperation with its third‑party partners. The narrative presented by Aflac throughout the disclosures emphasized that the intrusion was detected and contained quickly, that its core insurance operations were uninterrupted, and that the scope of the compromised data had been quantified after a thorough review of the potentially impacted files. The company’s statements consistently noted the absence of confirmed fraudulent use of the stolen information while urging recipients to remain alert to potential identity‑theft and fraud risks.