Aflac has joined the growing list of insurance giants that have been breached by attackers who did not need sophisticated malware or zero-day exploits. Instead, they relied on smart social engineering and took advantage of outdated security practices.

In a filing with the SEC, Aflac confirmed that hackers accessed personal data during a cyberattack on June 12, 2025. The stolen information includes Social Security numbers, claims details, and health records.

This was not an isolated incident.

This breach is part of a broader trend impacting the insurance industry, following similar incidents reported by Erie Insurance and Philadelphia Insurance Companies within the same month. The group believed to be responsible, known as Scattered Spider, has repeatedly demonstrated its ability to bypass traditional identity security by exploiting people rather than technology.

Why It Matters: The Aflac breach is a perfect storm of sector risk, valuable data, and attackers who know exactly where the soft spots are. It is also a case study in how legacy MFA that depends on codes, push notifications, or app approvals is not built to handle today’s phishing and social engineering attacks. For organizations that handle sensitive data, this threat is already here, and it is forcing them to rethink what secure authentication really means.

• How Attackers Got In: Aflac reported that social engineering was at the heart of the breach. The suspected group, Scattered Spider, is known for using human-centered tactics rather than relying on technical exploits. By exploiting trust and procedures, they gained a foothold without needing sophisticated hacking tools.

• What Was Compromised: The attackers accessed a wide range of sensitive information, including insurance claims data, Social Security numbers, and personal health information. This data was linked not only to customers but also to employees, agents, and beneficiaries across Aflac’s U.S. operations. Aflac has not yet confirmed how many individuals are affected, but with a customer base of around 50 million people, even a small fraction represents a significant breach. The full scope will become clearer as their internal review continues.

• Why Legacy MFA Failed: This incident highlights the weakness of traditional multi-factor authentication methods like SMS codes, app prompts, and push notifications. These systems can be easily manipulated during a phishing or credential relay attack, because they rely on the user to approve access without always recognizing the risk. Attackers can intercept codes or trick employees into approving fraudulent requests in real time.

• The Bigger Picture For The Insurance Industry: This breach is part of a broader pattern that shows how insurance companies have become prime targets for cybercrime. The sector manages vast amounts of valuable personal and financial data, making it highly attractive to attackers. With threats increasingly aimed at human vulnerabilities rather than technical flaws, companies are encouraged to rethink their security architecture. Adopting phishing-resistant authentication and stronger identity controls is no longer optional if they want to protect sensitive customer information.

Go Deeper -> Hackers target insurance giant in ongoing industry cyber spree – FOX Business

The Aflac Breach Was Preventable — Token’s Technology Proves It – Businesswire