Cybercriminals breached insurance giant Aflac, potentially stealing Social Security numbers, insurance claims and health information, the company said on Friday (June 20), the latest in a spree of hacks against the insurance industry. The Georgia-based company issued a statement and also notified the Securities Exchange Commission (SEC) on Friday, explaining that the incident was initially identified on June 12.

“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” Aflac said in a statement on Friday, without naming Scattered Spider. Aflac said it “stopped the intrusion within hours” after discovering it last week, that no ransomware was deployed, and that it continues to serve its customers.

“We have engaged leading third-party cybersecurity experts to support our response to this incident. While the investigation remains in its early stages, in the spirit of transparency and care for our customers, we are sharing that our preliminary findings indicate that the unauthorized party used ‘social engineering tactics’ to gain access to our network. Additionally, we have commenced a review of potentially impacted files. It is important to note that the review is in its early stages, and we are unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in our U.S. business. We remain committed to caring for and supporting our customers. While our teams work to review the potentially impacted data and determine the specific information involved, we are offering any individual who contacts our dedicated call center free credit monitoring and identity theft protection, and Medical Shield for 24 months,” it further read.



The number of customers affected was still under investigation. The company said it has reached out to third-party cybersecurity experts to probe the incident and has started a review of potentially impacted files.

In 2023, Aflac reported a data breach in Japan that affected 1.3 million customers holding cancer-related insurance policies. Aflac is one of the largest insurance companies in the US and Japan, reporting a total 2024 revenue of $18.9 billion. In the SEC filing, the company said the “full scope and potential ultimate impact” on their finances is unknown.

With billions of dollars in yearly revenues and tens of millions of policyholders, Aflac is the biggest victim so far in the ongoing cyber attack on US insurance firms that has the sector in a panic and the FBI and private cyber security experts racing to contain the damage.