The United States’ largest insurance provider, Aflac, has confirmed a cyberattack that exposed a significant volume of sensitive personal information. This adds to growing concerns about cybersecurity risks across the insurance sector.
In a filing with the U.S. Securities and Exchange Commission, Aflac disclosed that unauthorised actors gained access to its network on June 12. The company said investigators are continuing to assess the full scope of the breach. However, they acknowledged that hackers accessed highly sensitive data.
The compromised information includes Social Security numbers and health-related details associated with insurance claims. It also involves personal data of policyholders, beneficiaries, employees, and agents. Aflac stressed that the incident did not involve ransomware and that core systems remain operational.
22.65 million impacted by Aflac cyberattack in June https://t.co/hOebPfXs1J
— WSB-TV (@wsbtv) December 24, 2025According to the company, attackers used social engineering to infiltrate internal systems. This method typically involves manipulating individuals into revealing credentials or granting access, rather than exploiting technical flaws.
With nearly 50 million customers, Aflac now joins a growing list of U.S. insurers targeted in recent cyber incidents. Security experts warn that the sector has become increasingly attractive to attackers. This is due to the volume of sensitive financial and medical data it holds.
John Hultquist, chief analyst at Google’s threat intelligence unit, said several recent breaches point to a cybercrime group known as Scattered Spider. The group commonly uses social engineering and, in some cases, intimidation to breach corporate networks.
US insurance giant Aflac says hackers stole personal and health data of 22.6 million https://t.co/llCigqvbl7
— TechCrunch (@TechCrunch) December 23, 2025Investigators have also linked Scattered Spider to recent intrusions at Erie Insurance and Philadelphia Insurance Companies. The group has a history of financially motivated attacks. It has previously targeted industries ranging from technology firms to casinos and hotels.
The incident highlights mounting pressure on insurers to strengthen cybersecurity defences. This tension grows as attacks become more frequent and sophisticated. Regulators and industry leaders continue to urge companies to invest in staff training, monitoring, and rapid-response measures to mitigate the impact of future breaches.
