Aflac Announces Data Breach in Response to Targeted Cyber Attacks by Scattered Spider

On June 20, 2025, Aflac, a prominent insurance provider in the United States, confirmed a security breach impacting its systems as part of a broader cyber campaign targeting the insurance sector nationwide. The breach may involve the unauthorized acquisition of personal and health information from customers.

Aflac, recognized as the leading supplemental insurance provider in the U.S. and a Fortune 500 entity, offers various insurance products to millions of clients in the United States and Japan.

In its official statement, the company clarified that ransomware did not compromise its network. However, it remains undetermined if ransomware was initially deployed but subsequently blocked during the intrusion. Aflac implemented its cyber incident response protocols swiftly, mitigating the intrusion within hours and ensuring ongoing operational capability.

Aflac reassured its stakeholders that it can continue to serve customers effectively, stating, “This attack, similar to those faced by many insurance companies, was executed by a sophisticated cybercrime group targeting our industry.”

Following the detection of the breach, Aflac engaged external cybersecurity specialists to assess the incident and analyze potentially exposed files. According to a filing submitted to the U.S. Securities and Exchange Commission (SEC), the compromised documents may contain sensitive data, including claims, health information, Social Security numbers, and other personal details pertaining to customers, beneficiaries, employees, agents, and various individuals.

Analysis of Scattered Spider Threats

While Aflac did not attribute the breach to a specific cybercriminal group, the characteristics of the attack indicate a possible link to Scattered Spider.

Scattered Spider, also referred to as groups like 0ktapus, UNC3944, and others, is notorious for executing advanced social engineering attacks targeting high-profile organizations globally. Their methodologies encompass tactics such as phishing, SIM swapping, and multi-factor authentication (MFA) circumvention.

In September 2023, this group advanced their operational capabilities by breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware after gaining access via employee impersonation. Scattered Spider has collaborated with other ransomware entities, expanding its reach and impact.

As noted by John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), Scattered Spider has actively targeted U.S. insurance firms, signaling an urgent need for heightened vigilance within the industry. Organizations should remain alert to potential social engineering attempts, particularly in help desks and call centers, given the group’s pattern of concentrating on singular sectors.

Recent incidents involving Philadelphia Insurance Companies and Erie Insurance reflect a concerning trend, as these organizations experienced significant disruptions after uncovering unauthorized network access.

GTIG further cautioned that Scattered Spider shifted its focus from targeting retail chains in the UK to U.S. retailers, demonstrating a strategic pivot that underscores the need for proactive cybersecurity measures in the insurance sector.