Aflac has disclosed a cybersecurity breach affecting its US network, attributing the incident to a cybercrime group engaged in a broader campaign targeting insurance firms.
The breach was discovered on June 12. According to the company, its internal cyber response protocols were enacted immediately, and the intrusion was contained within hours.
Aflac said that its systems were not compromised by ransomware and that business operations – including policy underwriting, claims review, and customer service – remain fully functional.
The insurer noted that the attack was carried out by a sophisticated threat actor and forms part of a wider campaign against the insurance industry. The incident appears to align with a series of intrusions reported in recent weeks by other insurers, including Erie Insurance and Philadelphia Insurance Companies.
These breaches have been linked to a group known as Scattered Spider, which has previously targeted large corporations using advanced social engineering techniques. Google’s Threat Intelligence unit has flagged Scattered Spider as one of the most prolific and capable cybercrime gangs currently operating, with a specific focus on critical sectors such as financial services and insurance.
In response to the Aflac incident, the company said that external cybersecurity experts were brought in to assist with the investigation. While the review remains in its early stages, initial findings suggest the attackers gained network access using social engineering tactics.
Aflac has also begun examining files that may have been accessed but has not yet determined the number of affected individuals.
The breach at Aflac comes shortly after the cyberattack on Erie Insurance led to a proposed class-action lawsuit in Pennsylvania federal court. The complaint alleges that Erie failed to implement reasonable cybersecurity measures, resulting in a compromise of sensitive customer data.
While Aflac has not commented on any potential litigation, its disclosure of affected data types – including health information and Social Security numbers – may prompt similar legal scrutiny.
The data under review by Aflac includes claims records, health details, Social Security numbers, and other personal information related to policyholders, beneficiaries, employees, agents, and other individuals connected to its U.S. operations.
The growing frequency of these incidents has drawn attention not only to external threats but also to internal systems management. Industry analysts have highlighted that non-malicious technical issues – such as software misconfigurations or poorly timed updates – can still trigger vulnerabilities.
Meanwhile, Aflac said that individuals who contact that company’s designated call center are being offered complimentary credit monitoring, identity theft protection, and Medical Shield coverage for a period of 24 months.
The company said it is continuing to assess the scope of the incident and will provide updates to stakeholders as additional information becomes available.
What are your thoughts on this story? Please feel free to share your comments below.
