On June 12, 2025, Aflac Incorporated, one of the largest supplemental health insurers in the U.S., spotted suspicious activity on its U.S. network. The company quickly activated its incident response protocols and shut down the intrusion within hours. While no ransomware was found, the breach may have exposed a wide range of private customer and employee data, including Social Security numbers, insurance claims, and medical data
What happened and when
- June 12: Aflac detected unusual network activity. It used internal systems to halt the attack swiftly.
- June 20: The company went public with the breach. Aflac said it had blocked the threat within hours and that its systems remained fully functional.
- In a press statement, Aflac confirmed that its U.S. operations weren’t hit by ransomware. Insurance underwriting, filing claims, and customer services continued normally.
- The company is working with leading third-party cybersecurity teams to review affected files and assess how much data was exposed.
What data could be exposed
At this stage, it’s unclear exactly how many people were affected. Aflac’s investigation is ongoing. Early findings indicate that files containing social security numbers, health details, insurance claims, and other personal information belonging to policyholders, employees, agents, beneficiaries, and others may be at risk.
To support those possibly affected, Aflac is offering:
- 24 months of free credit-monitoring and identity-theft protection
- Medical Shield coverage for two years
- A dedicated call center (1‑855‑361‑0305) open daily in late June
Who’s behind the attack?
None of Aflac’s public statements named the perpetrators. Still, cybersecurity experts have noted that this breach comes during a wave of hacks hitting insurers this month—including Erie Insurance and Philadelphia Insurance Companies. These incidents share similar tactics, suggesting a coordinated campaign by the same cybercrime group.
That group appears to be “Scattered Spider,” a youthful hacking collective active since mid-2022, believed to be based in the U.S. and U.K. They are known for sophisticated social‑engineering attacks, often posing as tech‑support staff to trick employees over the phone and online. Once they gain credentials, they can move inside networks rapidly.
Scattered Spider is notorious for high-profile attacks, including on MGM Resorts and Caesars Entertainment in 2023, and more recently U.K. and U.S. retailers. Their shift into insurance comes after Google’s Threat Intelligence Group warned of multiple intrusions showing Scattered Spider’s “hallmarks”: sector-specific targeting, help-desk impersonation, rapid escalation.
As John Hultquist, chief analyst at Google’s threat group, put it:
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
Why this matters
- Mass reach: Aflac serves tens of millions of customers. Any breach could expose critical financial and medical data on a large scale .
- Fast-moving methodology: Unlike ransomware gangs, Scattered Spider acts swiftly. FBI veteran Cynthia Kaiser warns, “They can execute their full attacks in hours. Most other ransomware groups take days.”
- Industry ripple effects: Breaches at Erie, Philadelphia Insurance, and now Aflac show the insurance sector is under systematic attack. Analysts say more companies may come forward in the next days.
- Growing threat landscape: Financial data, health records, and SSNs are highly valuable. Breaches like this can lead to fraud, identity theft, and long-term reputational damage.
How the attack worked
Scattered Spider uses social engineering as its main tool:
- They call employees and pretend to be IT or security staff, asking for access or credentials.
- They sometimes register fake help-desk domains that mirror real IT portals
- Once they gain trusted access, they move laterally inside the network and extract data—all without deploying ransomware.
Aflac’s public note says the initial breach was from social engineering, not a technical exploitation . Other early victims in the sector reported the same phone-based deception method .
Response from Aflac and the industry
- Aflac says its core functions continue normally—employees can underwrite new policies, file and review claims, and serve customers
- Third-party cybersecurity experts have been brought in to investigate and recover data
- The company will notify regulators as required, including the SEC
- Free identity protection services are being offered to affected individuals
Erie and Philadelphia insurers also responded with tight lockdowns, disconnecting critical systems and working with law enforcement.
What experts recommend
Industry leaders are urging insurers and other organizations to:
- Train staff to spot and resist social-engineering calls and emails.
- Institute strict protocols to verify callers, even if they claim to be internal IT.
- Use multi-factor authentication, credential monitoring, and checks on external link domains.
- Run tabletop exercises to simulate attacks, so teams can respond quickly.
- Share threat intelligence—industry-wide alerts can help others prepare.
John Hultquist stresses: “They are already taking food off shelves and freezing businesses.” The sheer speed and precision of Scattered Spider’s approach poses a real threat.
Looking broader
This isn’t the only major breach of 2025. Last year saw the UnitedHealth/Change Healthcare hack that exposed data on over 100 million individuals. In early 2025, a theft of $90M from Iran’s Nobitex exchange highlighted the role of geopolitical tensions in cybercrime.
Experts say attacks will grow more sophisticated as cybercriminals adopt AI tools, phishing bots, and “MFA bombing” to overwhelm users. That makes basic defenses like staff training even more vital.
Bottom line
- Aflac had its U.S. network breached on June 12. Hackers may have accessed Social Security numbers, health records, claims, and more.
- The attack fits a series hitting the insurance sector now. Both Erie and Philadelphia insurers were hit earlier this month.
- Signs point to Scattered Spider, known for social‑engineering calls and fast intrusions.
- Aflac and peers are working with cyber teams, monitoring systems, and offering support to those affected.
- Insurance companies must urgently harden defenses, train staff, and share intel.
This breach isn’t over. Aflac is still reviewing files, and investigations are ongoing. Other insurers might disclose similar incidents soon. But one lesson is clear: simple security missteps—like trusting unexpected calls—are costing big. And until the insurance sector fixes that gap, cybercriminals will keep targeting it.
Key timeline
