The Aflac Tower in Columbus, Georgia. Image: Wikimedia Commons / CC BY-SA 3.0
A recent data breach, which occurred in June, has reportedly compromised the personal information of over 22 million Aflac customers, as confirmed by the company.
The Georgia-headquartered insurance provider released a statement detailing the completion of its extensive investigation into the cybersecurity incident first disclosed earlier this year.
Aflac had previously informed the Securities Exchange Commission (SEC) that although a hacker intrusion was halted “within hours,” cybercriminals managed to exfiltrate some files.
The company confirmed that ransomware was not involved in the incident. Notifications have been sent to state regulators, and breach notification letters are being dispatched to affected individuals.
Texas officials reported that over 2 million state residents were impacted, contributing to a total of approximately 22.7 million individuals whose information was compromised.
Despite the cyberattack, Aflac experienced no operational disruptions. However, the stolen documents included sensitive details such as insurance claims, health information, Social Security numbers, and other personal data belonging to “customers, beneficiaries, employees, agents, and other individuals in its U.S. business.”
Federal law enforcement agencies were informed of the breach, and external cybersecurity specialists were engaged to manage the incident response.
According to the notification letters, the investigation concluded on December 4. Victims are being offered two years of identity protection services, with an enrollment deadline of April 18, 2026.
This incident occurred during a broader series of attacks targeting the insurance sector, attributed to a group called Scattered Spider. This loosely organized collective of English-speaking cybercriminals is known for infiltrating large corporations by impersonating IT personnel. Around the same period, Erie Insurance, Philadelphia Insurance Companies, and Scania Financial Services also reported cyberattacks.
Following these attacks, law enforcement agencies have dismantled a leak site utilized by the group, and two of its members were apprehended and charged in the U.K. A Justice Department complaint unsealed in September indicated that the Scattered Spider cybercriminal operation had extorted at least $115 million from numerous victims over the past three years.
