Aflac Data Breach Exposes 22.65 Million in Scattered Spider Insurance Campaign
Published: December 30, 2025
Category: Breach Analysis | Incident Response
Sector: Insurance / Healthcare
Executive Summary
Insurance giant Aflac has confirmed that a June 2025 cyberattack compromised the personal and protected health information of approximately 22.65 million individuals—making it one of the largest healthcare-related data breaches of the year. The intrusion, attributed to the sophisticated cybercrime collective known as Scattered Spider (also tracked as UNC3944), represents a concerning escalation in the group's sector-targeting strategy following earlier campaigns against UK and US retail organizations.
The breach exposed an extensive range of sensitive data including Social Security numbers, government-issued identification, medical records, health insurance information, and claims data. While Aflac contained the attack within hours of detection and no ransomware was deployed, the incident has triggered bipartisan Congressional scrutiny, multiple class-action lawsuits, and renewed calls for enhanced cybersecurity protections across the insurance sector.
Breached Company
Incident Timeline
| Date | Event |
|---|---|
| June 12, 2025 | Aflac detects suspicious network activity; attack contained within hours |
| June 20, 2025 | Initial SEC 8-K filing discloses cybersecurity incident |
| August 8, 2025 | Breach reported to HHS Office for Civil Rights (placeholder figure of 500) |
| August 22, 2025 | Senate HELP Committee sends inquiry letter to Aflac CEO |
| December 4, 2025 | Aflac determines stolen files trigger notification requirements |
| December 22, 2025 | Breach reported to Texas Attorney General |
| December 23, 2025 | Aflac announces 22.65 million individuals affected; begins notifications |
Attack Attribution: Scattered Spider's Insurance Pivot
Google's Threat Intelligence Group (GTIG) identified the Aflac breach as part of a broader campaign targeting the US insurance industry. According to GTIG chief analyst John Hultquist, the attacks bore "all the hallmarks of Scattered Spider activity."
Scattered Spider—also known as UNC3944, Octo Tempest, Star Fraud, and 0ktapus—is a loosely organized cybercrime collective notable for its predominantly English-speaking members and sophisticated social engineering capabilities. As we've covered extensively in our Scattered Spider overview, the group operates from within a larger online community known as "The Com" and has demonstrated a pattern of focusing on single industry sectors before pivoting to new targets.
Scattered Spider's Sector Progression
- 2022: Telecommunications providers (SIM swapping campaigns)
- 2023: Financial services, casino/gaming—including the devastating MGM and Caesars cyber heists that resulted in over $100 million in damages
- 2024: Food services
- April-May 2025: UK/US retail (Marks & Spencer, Co-op, Harrods, Victoria's Secret, Dior)
- June 2025: US insurance industry
The group's criminal evolution has seen multiple members arrested and sentenced, yet attacks continue unabated.
Attack Vector: Social Engineering at Scale
Aflac confirmed the attackers used social engineering tactics to gain network access—a signature Scattered Spider technique. The group typically targets IT help desks and privileged users through sophisticated phone-based attacks and impersonation schemes.
Common Scattered Spider TTPs
- Help desk manipulation: Impersonating employees to request credential resets
- SIM swapping: Compromising mobile accounts to bypass SMS-based MFA
- Phishing campaigns: Highly targeted spear-phishing with convincing pretexts
- Legitimate tool abuse: Leveraging TeamViewer, AnyDesk, and similar remote access tools
- Cloud lateral movement: Exploiting cloud identity providers for privilege escalation
According to CrowdStrike's Q2 2025 threat analysis, Scattered Spider's activities have primarily centered on US-based insurance and retail entities, with the group demonstrating particular effectiveness against enterprises with large help desks and outsourced IT functions.
Breached Company
Compromised Data Categories
The breach exposed an extensive array of personally identifiable information (PII) and protected health information (PHI):
- Full names and contact information
- Social Security numbers
- Driver's license numbers
- Government-issued ID numbers
- Medical and health information
- Health insurance policy details
- Insurance claims data
- Dates of birth
This combination of identity documents and health context creates significant potential for sophisticated fraud schemes, including medical identity theft and synthetic identity creation.
Affected Population
Unlike many breaches that impact only customers, the Aflac incident affected multiple stakeholder categories:
- Policyholders and customers
- Policy beneficiaries
- Employees
- Insurance agents
- Other affiliated individuals
Aflac's Response
Immediate Actions
Aflac activated its cybersecurity incident response protocols upon detecting suspicious activity on June 12, 2025. According to company statements, the intrusion was "contained within hours" and did not result in ransomware deployment or operational disruption.
Key response measures included:
- Engagement of third-party cybersecurity experts
- Notification of federal law enforcement
- Password resets for affected accounts
- Comprehensive forensic investigation
Victim Remediation
Aflac is offering affected individuals complimentary protection services for 24 months through CyEx Medical Shield:
- Credit monitoring
- Identity theft protection
- Medical fraud protection
- Dedicated customer support
Enrollment deadline: April 18, 2026
Support hotline: 1-855-361-0305 (Monday-Friday 9am-9pm ET, Saturday 9am-5:30pm ET)
Regulatory and Congressional Scrutiny
Senate HELP Committee Inquiry
On August 22, 2025, Senators Bill Cassidy (R-LA), chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) sent a formal letter to Aflac CEO Daniel P. Amos demanding transparency about the incident.
The senators' questions addressed:
- Security protocols in place prior to the cyberattack
- Implementation of cybersecurity best practices from other critical infrastructure sectors
- Timeline of attack awareness and federal agency notifications
- Steps to identify compromised information
- Communication plans for affected individuals
- Remedial measures to improve security protocols
- Reporting commitments beyond HIPAA requirements
The inquiry comes amid escalating healthcare sector breaches—2024 saw over 700 large data breaches impacting approximately 276 million Americans, with average incident costs of $9.77 million.
HIPAA Reporting
Aflac filed a breach report with HHS's Office for Civil Rights on August 8, 2025, initially using a placeholder figure of 500 affected individuals while the investigation continued. The final count of 22.65 million was determined on December 4, 2025.
Legal Implications
Class Action Litigation
Multiple class-action lawsuits have been filed against Aflac in the wake of the breach disclosure. The Beasley Allen law firm—known for successful data breach litigation against AT&T, Target, and Home Depot—filed suit in federal court in Columbus, Georgia on behalf of plaintiffs Larry Golston, Dee Miles, and Leon Hampton.
The complaints allege:
- Negligence in protecting customer data
- Breach of contract
- Invasion of privacy
- Unjust enrichment
- Failure to implement adequate security measures
The cases have been consolidated before a federal judge in Columbus, with Aflac's response deadline set for mid-March 2026. Given the scale of the breach and the sensitivity of the exposed data, legal analysts anticipate significant settlement exposure.
Historical Context
Data breach settlements have reached substantial figures in recent years:
- AT&T (2024): 73 million customers affected; ongoing litigation
- Change Healthcare (2024): 192.7 million individuals in largest US health data breach
- Target: $39 million settlement for financial institutions
- Home Depot: $27.2 million cash settlement
Industry-Wide Implications
The Insurance Sector Under Siege
The Aflac breach was not an isolated incident. Google's June 2025 warning about Scattered Spider targeting insurance companies followed similar disclosures from:
- Erie Insurance (Pennsylvania): Unusual network activity detected June 7, 2025
- Philadelphia Insurance Companies: Network outage reported June 9, 2025
- Tokio Marine North America: Suspicious activity confirmed June 13, 2025
- Allianz Life: 1.4 million customers compromised through third-party cloud system in July 2025
Keith Wojcieszek, global head of threat intelligence at Kroll, noted that insurers possess uniquely valuable data—not only customer PII but detailed cybersecurity assessments of insured organizations that could inform future attacks against other companies.
Sector Vulnerabilities
The insurance industry faces structural cybersecurity challenges:
- Complex global operations: Distributed infrastructure complicates security monitoring
- High-value data concentration: PII, PHI, and financial data create attractive targets
- Help desk exposure: Large customer service operations vulnerable to social engineering
- Third-party dependencies: Outsourced IT functions expand attack surface
- Legacy systems: Integration challenges with modern security controls
Recommendations for Affected Individuals
If you received notification from Aflac or believe you may be affected:
- Enroll in offered protections: Register for CyEx Medical Shield services before April 18, 2026
- Monitor credit reports: Request free reports from Equifax, Experian, and TransUnion
- Review insurance statements: Check for unauthorized claims or policy changes
- Consider credit freezes: Prevent new account openings using your identity
- Enable fraud alerts: Request alerts from major credit bureaus
- Watch for targeted phishing: Be skeptical of communications referencing the breach
- Document suspicious activity: Report unauthorized transactions to Aflac and financial institutions
Recommendations for Insurance Organizations
Immediate Priorities
- Audit help desk authentication: Implement positive identification protocols for privileged access requests
- Deploy phishing-resistant MFA: Transition from SMS-based to hardware tokens or app-based authentication
- Review remote access tools: Monitor and restrict legitimate tools commonly abused by attackers
- Enhance identity provider security: Implement behavioral analytics for cloud identity systems
- Conduct social engineering assessments: Test help desk personnel with realistic vishing scenarios
Strategic Investments
- Zero trust architecture: Assume breach and verify continuously
- AI-powered threat detection: Deploy behavioral analytics for anomaly identification
- Privileged access management: Implement just-in-time access and session recording
- Incident response readiness: Conduct tabletop exercises simulating Scattered Spider TTPs
- Vendor risk management: Assess third-party security controls and access privileges
Conclusion
The Aflac breach represents more than another entry in the growing catalog of healthcare data incidents—it exposes fundamental vulnerabilities in how the insurance industry protects its most sensitive assets. When 22.65 million records containing the precise documents needed for identity theft are exfiltrated through social engineering, it signals that traditional perimeter defenses are insufficient against adversaries who target the human element.
Scattered Spider's methodical progression through industry sectors—telecom, gaming, retail, and now insurance—demonstrates a sophisticated understanding of where valuable data concentrates and how to extract it. Their English-speaking members and polished social engineering techniques bypass controls that stop less sophisticated attackers.
For CISOs and security leaders in the insurance sector, the message is clear: the threat is active, the tactics are proven effective, and help desk authentication represents an existential vulnerability. Organizations that fail to implement phishing-resistant authentication, positive caller verification, and comprehensive social engineering training are effectively waiting for their turn in Scattered Spider's crosshairs.
The Aflac incident will likely cost hundreds of millions in remediation, legal expenses, and potential settlements. But the broader cost—erosion of trust in an industry built on managing others' risks—may prove more significant still.
References
- SecurityWeek: "22 Million Affected by Aflac Data Breach"
- TechCrunch: "US insurance giant Aflac says hackers stole personal and health data of 22.6 million people"
- Senate HELP Committee: "Chair Cassidy, Hassan Request Information on Aflac Data Breach"
- Google Threat Intelligence Group: Scattered Spider Insurance Industry Warning (June 2025)
- CrowdStrike: "SCATTERED SPIDER Escalates Attacks Across Industries" (July 2025)
- Beasley Allen: "Class Action Filed Against Aflac After Data Breach"
- HIPAA Journal: "Aflac Data Breach" incident reporting
- Insurance Journal: "Aflac Says 22.6M People Affected by Cyber Incident Earlier This Year"
Related Coverage on Breached.Company
Scattered Spider Coverage:
- Scattered Spider Overview - Comprehensive threat actor profile
- The MGM and Caesars Cyber Heists: A Detailed Breakdown
- The Fall of Scattered Spider: Teen Charged in $100M Las Vegas Casino Heist
- First Scattered Spider Member Sentenced: Noah Urban Gets 10 Years
- Scattered Spider Pivots to Insurance Sector: Aflac Breach Signals New Wave of Attacks
Insurance Sector Breaches:
Healthcare Data Breaches:
- UnitedHealth Group's Massive Data Breach: A Cybersecurity Crisis Unfolds
- Yale New Haven Health $18 Million Settlement
- Covenant Health Cyberattack Analysis
This analysis is provided for informational purposes. Organizations should consult qualified cybersecurity professionals for specific guidance on threat mitigation and incident response.
