U.S. insurance giant Aflac has confirmed that 22.65 million individuals were affected by a major data breach in June 2025, where attackers accessed a trove of sensitive personal and health-related data.
A recent disclosure revealed that data stolen included Social Security numbers, medical information, and government-issued ID numbers. The breach, which did not involve ransomware or sophisticated malware, was instead achieved through social engineering.
The attackers, suspected to be from the Scattered Spider group, are known for bypassing traditional security controls by targeting employees directly.
Aflac has since begun issuing notification letters and is offering two years of free identity protection.
This attack is part of a broader campaign that also hit Erie Insurance and Philadelphia Insurance Companies, and it has triggered more than 20 lawsuits and federal investigations into Aflac’s data protection practices. Perhaps most alarming is what the breach reveals about wider sector vulnerabilities, especially concerning outdated identity security practices like legacy multi-factor authentication (MFA).
Why It Matters: The Aflac breach reflects a systemic flaw in how the insurance industry protects sensitive data. Legacy MFA systems are increasingly ineffective against modern phishing and social engineering attacks. As attackers focus more on exploiting human error than software vulnerabilities, organizations holding valuable data must rethink authentication and identity security from the ground up.
- Breach Executed via Social Engineering: Hackers gained access using deceptive, human-targeted tactics rather than software exploits. This method allowed them to bypass MFA tools like app approvals and push notifications, security layers increasingly vulnerable to phishing and credential relays.
- Sensitive Data on Millions Compromised: Exposed information includes names, addresses, dates of birth, Social Security numbers, driver’s license and passport details, health claims data, and insurance information tied to customers, employees, agents, and beneficiaries.
- Scattered Spider Suspected: The breach matches known tactics of Scattered Spider, a collective specializing in phishing campaigns targeting large corporations. The group has previously hit retailers and hospitals, and was flagged by the Health Sector Cybersecurity Coordination Center in late 2024.
- Sector-Wide Risk Exposed: Aflac’s breach is part of a larger pattern in which insurance companies are being targeted due to the high value of their customer data and the relative ease of penetrating defenses based on user behavior rather than system flaws.
- Call for Stronger Identity Architecture: Experts warn that continued reliance on outdated MFA and a lack of phishing-resistant protocols leaves companies vulnerable. The breach highlights the urgent need for adaptive, modern identity verification systems that reduce dependency on human judgment.
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
