Aflac has completed a review of files tied to a June cybersecurity incident and has begun notifying roughly 22.65 mn affected individuals. The process follows weeks of internal analysis and coordination with outside specialists.
The breach traces back to June, when a sophisticated cybercrime group accessed parts of Aflac’s systems using social engineering tactics.
The company says it detected suspicious activity quickly and shut it down within hours. Systems stayed online throughout. No ransomware deployed. That detail matters, even if customers still feel rattled.
Aflac says it hasn’t seen evidence of fraudulent use of personal data so far. Monitoring continues. Third-party firms remain involved, and federal law enforcement received notice early in the response.
According to Beinsure, that sequence reflects a fairly standard large-carrier incident playbook, nothing experimental.
The potentially exposed information varied by individual. Aflac previously said impacted data could include names, contact details, claims records, health information, and Social Security numbers.
Not every file contained all of that. That uneven exposure complicates notification, and probably explains the delay.
While the data review wrapped only recently, Aflac says it moved fast on consumer support. Credit monitoring and identity theft protection were offered almost immediately.
Those services run for 24 months and remain available to any Aflac customer who contacts a dedicated call centre line. The offer isn’t limited to confirmed exposures, which feels intentional.
Aflac wasn’t alone during that stretch. Several insurers reported cyber incidents around the same time, including Erie Insurance Group and Philadelphia Insurance .
Timing like that tends to raise eyebrows, even when attacks aren’t formally linked.
In a follow-up statement, Aflac thanked customers for their patience and reiterated that the incident affected only a limited number of US systems.
Accounts flagged as potentially impacted were secured, passwords reset, and monitoring expanded. So far, no confirmed misuse of data. For a supplemental insurer with deep payroll reach, that’s a large number, even by recent cyber standards.
About Aflac’s cybersecurity incident
Aflac first disclosed the cyberattack after spotting unauthorized activity on its US network on June 12, 2025, and it publicly acknowledged the breach in a June 20 filing with the SEC.
The company said it stopped the intrusion within hours and maintained core operations throughout, without ransomware locking systems.
Subsequent regulatory filings and state attorney general notices reveal the stolen data stretches beyond what Aflac initially outlined.
- The breach compromised personal information for about 22.65 mn individuals, including names, dates of birth, home addresses, government-issued ID numbers such as driver’s licenses and passport numbers, Social Security numbers, and detailed medical and health insurance information covering customers, employees, agents, and beneficiaries.
- Law enforcement and cybersecurity experts believe the attack fits the pattern of Scattered Spider, a loosely affiliated cybercrime collective known for social engineering and impersonation tactics targeting help desks and internal staff to bypass access controls. Those same tactics have been linked to breaches at other insurers and companies in recent months.
- Political scrutiny followed. A bipartisan pair of US senators pressed Aflac’s leadership for clearer answers on its cybersecurity practices, asking for detailed timelines of breach detection, notification, and remediation steps, as well as what agencies were notified and how customer data protections will improve going forward.
- At least one class action complaint has been filed alleging Aflac failed to implement reasonable safeguards to protect highly sensitive information and violated data privacy commitments when exposing claims records, health details, and personally identifiable information.
Industry analysis places this event squarely in a broader trend of cybercriminal campaigns against the insurance sector, as carriers hold troves of financial, health, and identity data that attract sophisticated hacking groups.
Aflac’s incident underscores how human-centric social engineering remains a critical vulnerability even when core infrastructure and anti-ransomware protections are robust.
