Aflac and Philadelphia Insurance Companies: US insurance giant Aflac says hackers stole personal and health data of 22.6 million people

Aflac Confirms Massive Data Breach Impacting 22.65 Million Customers

U.S. insurance giant Aflac has disclosed a significant data breach affecting approximately 22.65 million individuals, with stolen information including Social Security numbers, government-issued IDs, health records, and medical insurance details. The breach was first acknowledged in June, though the company initially withheld the number of affected customers.

In regulatory filings with the Texas and Iowa attorneys general, Aflac confirmed that the stolen data encompasses names, dates of birth, home addresses, driver’s license numbers, passport details, and health-related information. The company also indicated that the cybercriminals behind the attack may be linked to a known hacking group, with federal law enforcement and cybersecurity experts suggesting the breach was part of a broader campaign targeting the insurance sector.

Security researchers suspect the attack may be tied to Scattered Spider, a loosely organized hacking collective known for targeting financial and insurance industries. At the time of the breach, the group was actively pursuing similar attacks, including incidents at Erie Insurance and Philadelphia Insurance Companies.

Aflac, which serves around 50 million customers, has not provided further details on the breach’s origin or the group’s specific involvement. The company has begun notifying affected individuals, though no additional public statements have been issued.

Source: https://techcrunch.com/2025/12/23/us-insurance-giant-aflac-says-hackers-stole-personal-and-health-data-of-22-6-million-people/

Aflac cybersecurity rating report: https://www.rankiteo.com/company/aflac

Philadelphia Insurance Companies cybersecurity rating report: https://www.rankiteo.com/company/philadelphia-insurance-companies

"id": "AFLPHI1766519998",
"linkid": "aflac, philadelphia-insurance-companies",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '22.65 million',
                        'industry': 'Insurance',
                        'location': 'United States',
                        'name': 'Aflac',
                        'size': 'Large (50 million customers)',
                        'type': 'Insurance Company'}],
 'customer_advisories': 'Notifications sent to affected customers',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '22.65 million',
                 'personally_identifiable_information': 'Names, dates of '
                                                        'birth, home '
                                                        'addresses, '
                                                        'government-issued ID '
                                                        'numbers, driver’s '
                                                        'license numbers, '
                                                        'Social Security '
                                                        'numbers',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Health Information']},
 'date_publicly_disclosed': 'June 2024',
 'description': 'U.S. insurance giant Aflac disclosed a data breach where '
                'hackers stole customers’ personal information, including '
                'Social Security numbers and health information. The company '
                'confirmed it has begun notifying around 22.65 million people '
                'whose data was stolen during the cyberattack.',
 'impact': {'brand_reputation_impact': 'Likely significant',
            'data_compromised': 'Customer names, dates of birth, home '
                                'addresses, government-issued ID numbers '
                                '(passports, state ID cards), driver’s license '
                                'numbers, Social Security numbers, medical and '
                                'health insurance information',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Possible regulatory fines and legal actions'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain, targeting insurance industry',
 'ransomware': {'data_exfiltration': 'Yes'},
 'references': [{'source': 'TechCrunch'},
                {'source': 'Aflac filings with Texas and Iowa attorneys '
                           'general'}],
 'regulatory_compliance': {'regulations_violated': ['Potential violations of '
                                                    'state data breach '
                                                    'notification laws',
                                                    'Possible HIPAA '
                                                    'violations'],
                           'regulatory_notifications': 'Filed with Texas and '
                                                       'Iowa attorneys '
                                                       'general'},
 'response': {'communication_strategy': 'Filing with state attorneys general, '
                                        'customer notifications',
              'law_enforcement_notified': 'Federal law enforcement notified',
              'third_party_assistance': 'Third-party cybersecurity experts '
                                        'involved'},
 'threat_actor': 'Scattered Spider (suspected)',
 'title': 'Aflac Data Breach - Customer Personal Information Stolen',
 'type': 'Data Breach'}