Aflac, the Columbus-based supplemental insurer that covers more than 50 million policyholders in the United States and Japan, revealed in a June 20 SEC filing that it detected “suspicious activity” on part of its U.S. network on June 12.
Internal teams isolated the affected systems within hours and launched incident-response protocols, supported by an outside forensics firm.
Early analysis shows the intrusion came from what the company calls a sophisticated cybercrime group using tactics similar to recent attacks on other insurers. Although core operations, underwriting, and claims processing stayed online, investigations indicate that hackers accessed a segment holding customer and employee data.
Stolen records likely include names, Social Security numbers, birth dates, address details, and certain claim or health information. Investigators have seen no evidence of ransomware or encryption of Aflac’s production systems.
The insurer has not yet quantified how many individuals were affected, but it warns the number could be significant because policy information for current and former customers was stored in the compromised environment.
Security analysts following the case say digital fingerprints point to Scattered Spider, an English-speaking affiliate of the ALPHV gang that breached UnitedHealth in 2024. That attack triggered weeks-long claim delays across U.S. hospitals.
Several other carriers filed breach notices the same week Aflac did, suggesting an orchestrated campaign aimed at insurance firms that hold rich combinations of financial and medical data. Under new SEC rules, public companies must disclose material cyber incidents within four business days.
Aflac’s same-day public statement and eight-day formal filing illustrate how that regulation is shaping breach transparency. Investors reacted quickly, sending Aflac shares down about one percent in pre-market trading on June 20 before prices stabilized as the company assured Wall Street that business continuity was intact.
Aflac has begun notifying regulators and will offer complimentary credit monitoring and identity-theft protection once the scope becomes clearer. It is reinforcing endpoint defenses, rotating credentials, and accelerating a zero-trust network overhaul that was in pilot testing before the incident.
Legal fallout has already started: an Alabama firm filed a proposed class action on June 25 alleging the carrier failed to patch known vulnerabilities and ignored industry warnings about similar threats. Cyber-risk specialists say the lawsuit will test whether courts view SEC filings and public statements as proof of timely due diligence. Meanwhile, consumer-protection agencies advise policyholders to monitor
Explanation of Benefits statements, set fraud alerts with credit bureaus, and use the free annual credit-report program. Insurance watchdogs predict higher compliance costs across the sector because underwriters may need to encrypt data at rest and adopt continuous logging to retain customer trust.
While the full impact will take months to untangle, Aflac’s rapid containment, detailed disclosures, and cooperation with law enforcement offer an emerging playbook for breach response in a regulatory environment that demands speed, accuracy, and accountability.
Link to article: https://edition.cnn.com/2025/06/20/tech/aflac-cyberattack
