A massive cyberattack has exposed the sensitive personal details of Americans after hackers breached the system of Aflac.
Aflac, one of the largest insurance company in the US, has over 50 million customers worldwide and around 15m in America.
The breach identified on June 12 was carried out by a yet unknown hacking group that accessed files containing Social Security numbers, health claims and other private data.
A 11 class-action lawsuits have been already filed against the company, accusing it of failing to protect user data.
Aflac confirmed the breach in a statement filed with the US Securities and Exchange Commission on Friday, noting that the incident affected customers, beneficiaries, employees and agents.
The company has not shared how many people were affected.
‘Our business remains operational, and our systems were not affected by ransomware,’ said Aflac in a press release.
‘This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group.’
Aflac, one of the largest insurance company in the US has over 50 million customers worldwide.
The breach was contained within hours, according to Aflac, but the company admitted the scope of attack remains under investigation.
The hackers performed the attack by manipulating individuals and sector-specific targeting into performing actions or divulging confidential information.
Unlike malware or brute-force attacks, these tactics rely on psychological manipulation rather than technical vulnerabilities.
This form of attack involves tricking employees, often help desk workers into revealing passwords or granting access, bypassing traditional security systems like firewalls.
Alfac has hired a third party cybersecurity experts to review the breach and assess the damage.
So far, the company says the data potentially accessed includes names, claims data, Social Security numbers, and health-related information.
Aflac said it is offering free credit monitoring and identity theft protection to affected individuals.
Alfac has hired a third party cybersecurity experts to review the breach and assess the damage.
Aflac reported the data potentially accessed includes names, claims data, Social Security numbers, and health-related information.
A dedicated call center was launched on June 20 to provide support and more details to those impacted by the incident.
The Aflac hack followed a coordinated series of attacks on insurers beginning June 7, starting with Erie Insurance and Philadelphia Insurance Companies.
The FBI has not commented publicly on the breach, but cybersecurity analysts suspect the attack was carried out by a group known as Scattered Spider.
This group operates under a larger cybercriminal network known as The Com, according to Cyberscoop.
The group, active since 2022, is known for attacking US companies in waves using identity-based tactics such as impersonating employees.
John Hultquist, chief analyst at Google’s Mandiant Intelligence, said the insurance industry is currently facing a surge in targeted intrusions.
He noted the tactics used in the Aflac breach mirror recent attacks on Erie Indemnity and Philadelphia Insurance Companies.
‘This was part of a cybercrime campaign against the insurance industry,’ Aflac said in its press release.
‘We regret that this incident occurred,’ the company added, emphasizing its commitment to protecting customer data going forward.
Security experts warn that breaches like this can have long term consequences for victims.
With Social Security numbers and medical records exposed, individuals may at risk for fraud, scams or even medical identity theft.
Steve Cagle, CEO of Clearwater, a healthcare cybersecurity firm, said Scattered Spider is known for bypassing even multi-factor authentication by tricking help desk personnel.
‘This group’s specialty is identity-based tactics,’ he noted.
Health and insurance records are among the most valuable data types on the black market, experts say.
Scattered Spider has been linked to past attacks on tech companies, casinos, and retailers in both the US and UK.
The group reportedly uses threats of violence and impersonation tactics to gain access to secure systems.
Cyberattacks across the globe rose 44 percent last year, according to a January report by Check Point Research.
The rise is attributed partly to advanced social engineering and the use of generative AI in phishing and impersonation attempts.
Aflac has joined other breached companies in notifying regulators and offering affected customers support and monitoring tools.
As investigations continue, more insurers are expected to come forward with disclosures of similar intrusions.
