Cyber Incident Victim: Aflac Incorporated

In early 2018, Aflac Incorporated experienced a cybersecurity incident involving unauthorized access to the email accounts of its independent contractor sales agents. The breach occurred over an extended period, with attackers compromising these accounts between January 17 and April 2. During this nearly three-month window, threat actors gained access to sensitive client information stored within the agents' email systems. Aflac's internal investigation, concluded on April 25, confirmed that personal data belonging to policyholders had been exposed through these compromised accounts. The company did not publicly disclose the specific number of affected individuals or agents involved in the breach, nor did it reveal the exact method of initial email account compromise.

The exposed client information included highly sensitive personal identifiers such as full names, physical addresses, dates of birth, Aflac policy numbers, Social Security numbers, and bank account details. This combination of compromised data elements created significant risks for identity theft and financial fraud against impacted clients. Aflac issued a press release acknowledging the breach, though the notification was not immediately posted on the company's official website according to contemporaneous reports. The disclosure did not specify whether the company implemented additional security measures for agent email accounts following the incident or if law enforcement agencies were involved in investigating the breach. No information was provided regarding potential motives behind the attack or whether the exposed data was subsequently misused by the threat actors.