Aflac Discloses a Data Breach

Aflac disclosed a major security incident from June 2025 that compromised personal and health data of 22.65 million customers, beneficiaries, employees, and agents . Hackers accessed sensitive details including Social Security numbers, names, addresses, driver’s licenses, claims, and medical information on June 12.

Incident Timeline

Aflac detected suspicious activity on June 12, 2025, and contained it within hours using third-party experts and law enforcement. The company provided initial resources like credit monitoring without full victim counts, finalizing the scope on December 4 after reviewing impacted files. Notifications to states like Texas and Iowa began in December, confirming the breach’s scale.

Data Compromised

Stolen files held names, contact info, Social Security numbers, government IDs, driver’s licenses, health records, and claims data—not every element for all 22.65 million affected. This represents a significant portion of Aflac’s 50 million customers. No ransomware was deployed, but the exposure heightens identity theft risks.

Threat Actor Insights

Attackers likely belong to Scattered Spider, a group targeting insurance firms via social engineering around that time. Similar breaches hit Erie Insurance and Philadelphia Insurance Companies. Federal authorities and experts linked them to broader industry attacks.

Aflac’s Response Measures

Aflac reset credentials, enhanced monitoring, and offers 24 months of free CyEx Medical Shield—including credit monitoring, identity theft protection, and medical fraud support—via 1-855-361-0305 (enrollment deadline April 18, 2026) . No fraudulent activity is confirmed yet. A class-action lawsuit claims inadequate protections like encryption failures.