In a major cybersecurity disclosure, US insurance giant Aflac revealed that hackers stole highly sensitive personal and health information belonging to roughly 22.65 million people in a breach first detected in June.
According to Aflac, on 12 June 2025, the company identified suspicious activity in its US network. The company security teams responded immediately, activating incident response protocols and containing the intrusion within hours. Officials later confirmed that no ransomware was deployed, and core operations continued uninterrupted.
At the time, Aflac said it was still investigating and could not yet determine the number of affected individuals. Recent filings reported by TechTarget have now clarified that about 22.65 million people’s records were stolen during the cyberattack.
According to filings with the Texas and Iowa attorney general offices, the compromised data includes:
According to Dataconomy, Aflac’s disclosure suggests the breach was carried out by a sophisticated cybercrime group actively targeting the insurance industry. Federal law enforcement and independent cybersecurity experts believe this group may have been conducting a coordinated campaign against multiple insurance firms.
Security analysts have linked similar incidents to a loosely organized collective known as Scattered Spider, a primarily English-speaking cybercriminal group that has targeted U.S. corporations using advanced social engineering techniques. While Aflac hasn’t publicly named the threat actor, timing and modus operandi are consistent with patterns attributed to this group.
According to the filing with the Iowa attorney general, the attackers gained unauthorized access to “one or more user accounts through social engineering.” The notice further states that “The unauthorized actor may be affiliated with a known cyber-criminal organization; federal law enforcement and third party cybersecurity experts have indicated that this group may have been targeting the insurance industry at large,” demonstrating a trend of social engineering attacks on insurance companies.
Scattered Spider is a cybercriminal threat group spotlighted in a joint Cybersecurity Advisory (AA23-320A) from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and partners, including the FBI and international agencies.
Originally identified in November 2023, the group is notorious for using advanced social engineering tactics to compromise large organizations. Their playbook includes phishing, push bombing (MFA fatigue), and SIM-swapping attacks to trick employees, often IT help-desk personnel, into handing over credentials or approving multi-factor authentication codes, enabling access to corporate networks.
Scattered Spider has evolved beyond credential theft and data exfiltration, with recent updates to the advisory noting their use of ransomware variants, including DragonForce, in double-extortion operations that both steal and encrypt data.
The group’s activities have impacted numerous sectors, prompting warnings from U.S., Canadian, U.K., and Australian cybersecurity authorities.
Security officials urge organizations to strengthen identity protections, adopt phishing-resistant authentication, and reinforce defenses against this adaptable and persistent adversary.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Help desks often have authority to reset credentials and may prioritize speed and customer service, making them attractive targets for impersonation attacks.
Yes. Large breaches often lead to regulatory scrutiny, lawsuits, and potential penalties under state and federal data protection laws.