Aflac Confirms Massive Data Breach Affecting 22.65 Million Individuals in June 2025 Cyberattack
Insurance giant Aflac has confirmed that a June 2025 cyberattack compromised the personal and sensitive data of approximately 22.65 million individuals far exceeding the initial placeholder figure of 500 reported to the HHS’ Office for Civil Rights on August 8, 2025. The breach, detected on June 12, 2025, was contained within hours, but investigations later revealed that a threat actor gained access to multiple systems through social engineering attacks on user accounts.
Aflac, a Fortune 500 company specializing in supplemental health insurance with 50 million customers worldwide, operates subsidiaries in the U.S. and Japan. The compromised data includes names, addresses, dates of birth, government-issued IDs (passport, driver’s license, Social Security numbers), medical information, and health insurance details affecting customers, beneficiaries, employees, and agents in its U.S. business. While no misuse of the stolen data has been reported, Aflac is offering 24 months of complimentary credit monitoring and identity theft protection to affected individuals.
The attack is suspected to be the work of Scattered Spider, a financially motivated hacking group known for targeting critical sectors, including healthcare, insurance, and retail. The group, composed of young English-speaking hackers primarily based in the U.S. and U.K., has previously conducted social engineering campaigns against IT help desks and managed service providers (MSPs). The HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning about the group in October 2024, citing its growing threat to the healthcare and public health sectors.
This breach ranks among the largest U.S. healthcare data breaches of 2025, with over 20 class action lawsuits filed and regulatory investigations underway to assess Aflac’s compliance with data privacy laws. The incident follows similar attacks on other insurers, including Erie Insurance Group and Philadelphia Insurance Companies, suggesting a coordinated campaign against the industry.
On August 28, 2025, Senators Bill Cassidy (R-La.) and Margaret Wood Hassan (D-N.H.) demanded further transparency from Aflac, requesting details on pre-attack security measures, federal notifications, and steps taken to improve cybersecurity protocols. Aflac has until September 5, 2025, to respond.
While ransomware was not deployed in this attack, Scattered Spider’s shift toward data theft and extortion signals an evolving threat to the insurance sector. The breach underscores the group’s ability to exploit social engineering for initial access, even against large, well-resourced organizations.
Source: https://www.hipaajournal.com/aflac-data-breach/
Aflac cybersecurity rating report: https://www.rankiteo.com/company/aflac
"id": "AFL1768391547",
"linkid": "aflac",
"type": "Breach",
"date": "12/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '22,650,000',
'industry': 'Insurance',
'location': 'Columbus, GA, USA',
'name': 'Aflac',
'size': 'Fortune 500, 50 million customers worldwide',
'type': 'Insurance Company'}],
'attack_vector': 'Social Engineering',
'customer_advisories': 'Notification letters sent to affected individuals; '
'complimentary credit monitoring and identity theft '
'protection services offered for 24 months.',
'data_breach': {'data_encryption': 'No',
'data_exfiltration': 'Yes',
'number_of_records_exposed': '22,650,000',
'personally_identifiable_information': 'Names, addresses, '
'dates of birth, '
'government-issued ID '
'numbers, Social '
'Security numbers',
'sensitivity_of_data': 'High (government-issued IDs, Social '
'Security numbers, medical '
'information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-06-12',
'date_publicly_disclosed': '2025-06-12',
'description': 'Aflac, a Fortune 500 insurance giant specializing in '
'supplemental health insurance, experienced a cyberattack in '
'June 2025 that compromised the personal and protected health '
'information of approximately 22.65 million individuals. The '
'attack was detected on June 12, 2025, and contained within '
'hours. The threat actor accessed multiple user accounts '
'through social engineering and may be affiliated with the '
'cyber-criminal group Scattered Spider. The breach affected '
'customers, beneficiaries, employees, agents, and other '
'individuals in Aflac’s U.S. business.',
'impact': {'brand_reputation_impact': 'Significant (over 20 class action '
'lawsuits filed)',
'data_compromised': 'Names, addresses, dates of birth, '
'government-issued ID numbers (passport, state '
'ID, driver’s license), Social Security '
'numbers, medical information, health '
'insurance information',
'identity_theft_risk': 'High (complimentary credit monitoring and '
'identity theft protection services offered '
'for 24 months)',
'legal_liabilities': 'Regulatory investigations initiated; '
'potential fines under state and federal data '
'privacy laws',
'operational_impact': 'No impact on business operations; continued '
'underwriting policies, reviewing claims, '
'and servicing customers',
'systems_affected': 'Multiple Aflac systems'},
'initial_access_broker': {'entry_point': 'Social engineering (user accounts)'},
'investigation_status': 'Ongoing',
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'Social engineering attack; '
'potential lack of robust '
'multi-factor authentication or '
'employee training'},
'ransomware': {'data_encryption': 'No', 'data_exfiltration': 'Yes'},
'references': [{'date_accessed': '2025-08-28', 'source': 'HIPAA Journal'},
{'date_accessed': '2025-06-12',
'source': 'U.S. Securities and Exchange Commission (SEC) '
'Filing'},
{'source': 'Google Threat Intelligence Group'},
{'source': 'ReliaQuest'}],
'regulatory_compliance': {'legal_actions': 'Over 20 class action lawsuits '
'filed; regulatory investigations '
'initiated',
'regulations_violated': ['HIPAA',
'State data privacy laws'],
'regulatory_notifications': 'Reported to HHS’ '
'Office for Civil '
'Rights on August 8, '
'2025 (placeholder '
'figure of 500 used '
'initially)'},
'response': {'communication_strategy': 'Press releases, notification letters '
'to affected individuals, SEC filing',
'containment_measures': 'Intrusion contained within hours',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Federal law enforcement notified',
'third_party_assistance': 'Leading cybersecurity experts '
'engaged'},
'stakeholder_advisories': 'Senators Bill Cassidy and Margaret Wood Hassan '
'requested further information about the incident '
'on August 28, 2025, with a deadline of September '
'5, 2025.',
'threat_actor': 'Scattered Spider',
'title': 'Aflac Cyberattack and Data Breach',
'type': 'Data Breach'}