Aflac Discloses Data Breach in Broader Campaign Targeting U.S. Insurers
Aflac, the largest supplemental insurance provider in the United States, has disclosed a cybersecurity breach that compromised sensitive personal and health information. The incident is part of an ongoing wave of targeted cyberattacks on U.S. insurance companies—believed to be linked to the threat actor group Scattered Spider.
In a public statement issued on Friday, Aflac confirmed it had detected unauthorized access to its systems and launched a rapid response. The intrusion was halted within hours, and the company emphasized that the attack did not involve ransomware, although it has not confirmed whether ransomware was attempted or blocked.
“We promptly initiated our cyber incident response protocols and stopped the intrusion within hours. Importantly, our business remains operational, and our systems were not affected by ransomware,” Aflac stated.
The company’s customer services—including policy underwriting, claims processing, and support—continue without disruption.
Sensitive Data Potentially Exposed
According to Aflac’s filing with the U.S. Securities and Exchange Commission (SEC), the compromised files may include:
- Customer and beneficiary information
- Claims and health data
- Social Security numbers
- Personal details of employees, agents, and other individuals
The company has engaged external cybersecurity experts to investigate the breach and assess the scope of the exposure.
Attack Tactics Consistent with Scattered Spider
While Aflac has not officially attributed the breach to a specific threat actor, the incident bears strong resemblance to known tactics used by Scattered Spider, a cybercrime group also tracked under names like 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra.
This group is known for:
- Social engineering tactics such as phishing, MFA bombing, and SIM swapping
- Gaining initial access by impersonating employees in help desk calls
- Partnering with ransomware operators like BlackCat, RansomHub, and Qilin
Scattered Spider has previously targeted major organizations including MGM Resorts, Twilio, Caesars, Reddit, and MailChimp. In September 2023, they breached MGM by impersonating an employee and encrypted over 100 VMware ESXi hypervisors using BlackCat ransomware.
Insurance Sector Under Active Threat
John Hultquist, Chief Analyst at Google Threat Intelligence Group (GTIG), warned that insurance companies are now a primary focus of Scattered Spider:
“The insurance industry should be on high alert… especially for social engineering attempts on help desks and call centers,” Hultquist told BleepingComputer.
Other recent victims in this sector include Philadelphia Insurance Companies (PHLY) and Erie Insurance, both of which reported network disruptions linked to unauthorized access.
The group’s targeting has also shifted geographically, with recent transitions from UK retail to U.S. insurance and retail sectors.
