Aflac detected a cyberattack on its U.S. network on 12 June and contained the intrusion within hours. The company has confirmed that the attack may have compromised sensitive personal data, including Social Security numbers, claims and health information belonging to customers, beneficiaries, employees and agents. Operations remain fully functional as experts investigate the full extent of the breach.
The insurer’s SEC filing and subsequent statement referred to the perpetrators as a “sophisticated cybercrime group”. While Aflac has not named the group outright, investigations by cybersecurity experts and law enforcement officials link the attack to Scattered Spider, a hackers’ collective believed to be operating in the U.S. and U.K. that relies on social-engineering tactics—posing as tech support to manipulate employees into granting access.
Cybersecurity analysts say attackers gained an initial foothold by deceiving staff over the phone. From there, they accessed and extracted files containing personally identifiable information—including health and claims records—though no ransomware was deployed and no systems were encrypted. That allowed Aflac to continue underwriting, processing claims and servicing policies without interruption.
Aflac’s customers list stands at more than 50 million policyholders in the U.S. and Japan, according to company disclosures. Given the volume of data handled and the indeterminate number of affected individuals, the insurer has begun offering two years of free credit monitoring and identity-theft protection services to anyone who may be impacted. Federal regulators will be notified in line with legal requirements.
The incident forms part of a wider pattern affecting the insurance sector this month. Erie Insurance and Philadelphia Insurance Companies have reported analogous breaches. In Aflac’s case, spokespersons indicated the breach fits a deliberate campaign targeting insurers—and it may not be an isolated incident.
The profile of Scattered Spider draws attention for its youth-led structure, transatlantic reach and opportunistic targeting of high-value sectors. The group is notorious for high-profile breaches in the retail and hospitality sectors—including casino and hotel chains in Las Vegas during 2023—and more recently retailers such as Marks & Spencer, Victoria’s Secret and United Natural Foods.
Experts stress that Scattered Spider’s approach is aggressive and rapid, capable of executing full-scale breaches within hours. Cynthia Kaiser, former deputy assistant director of the U.S. FBI’s Cyber Division, warns that these attackers often register domains that mimic legitimate corporate help desks to support phishing campaigns, underscoring the importance of staff training and internal verification protocols.
John Hultquist, chief analyst at Google’s Threat Intelligence unit, notes that the group’s expansion into the insurance domain occurred in parallel with extortion campaigns targeting both corporate and municipal entities. He cautions that financial and public-sector organisations may be next in line.
Aflac has retained third-party cybersecurity specialists to conduct a full review of the compromised systems, isolate vulnerabilities and recommend improvements. An ongoing forensic analysis is underway to determine the exact scale of the data breach and prevent potential further intrusions.
Market reaction was muted. Though Aflac shares dipped roughly 1.3 per cent in early trading following the disclosure of the incident, they have since stabilised near flat levels for 2025. This mirrors modest market responses observed during previous industry-wide breaches, reflecting investor confidence in operational resilience when ransomware is absent.
Insurance-sector leaders are doubling down on cybersecurity investment. Firms are ramping up employee awareness campaigns, introducing multifactor authentication, simulating phishing drills and hardening external communication protocols. The FBI and the U.S. Cybersecurity & Infrastructure Security Agency have issued alerts urging immediate vigilance across the sector, particularly in call centres and help-desk functions.