American insurance company AFL (Aflac) has officially announced that a cyberattack in June resulted in the leakage of personal information for up to 22.65 million people. This is one of the largest hacking incidents reported by the U.S. insurance industry this year, and its inclusion of health and medical information is expected to cause significant repercussions.
Aflac stated that it initially discovered unauthorized access to parts of its U.S. network on June 12th and immediately took countermeasures, including hiring external security experts and reporting the incident to law enforcement agencies. The attack did not involve ransomware or cause business disruption. However, it has been confirmed that the files stolen by the hackers contained a large amount of personally identifiable information.
The leaked data includes information on customers, former/current employees, insurance beneficiaries, and collaborating agents. It reportedly involves not only names, dates of birth, contact information, and Social Security numbers, but also sensitive content such as health and insurance claims information. Some cases even include government-issued identification information, potentially causing even greater damage.
Aflac stated that no fraudulent activities using the stolen information have been detected to date, but to prevent potential harm, it has begun notifying victims and relevant regulatory agencies. The company also plans to offer up to 24 months of free identity protection services, including credit monitoring, identity theft prevention, and medical fraud detection.
While no official perpetrator has been identified, cybersecurity experts suggest it may be the work of a hacking group known as "Scattered Spider." This group has been active since 2022, consistently targeting the insurance, healthcare, and retail sectors, and has a history of collaborating with the ALPHAV/BlackCat ransomware group.
Scattered Spider primarily utilizes voice-based social engineering attacks targeting IT administrators, gaining access through sophisticated techniques such as mimicking victims' voices or impersonating new employees. They establish intrusion paths through methods including trading others' login information, eavesdropping, SMS phishing, call forwarding, and SIM card swapping.
Tim Rawlins, a security consultant at NCC Group, analyzed, "The insurance industry has experienced several major security incidents this year. While backup systems have been strengthened and ransom demands for decryption have decreased, the practice of using leaked information to extort money is spreading." He further warned, "These types of data disclosure threats are likely to become the new standard for future cyberattacks."
Since 2025, cyberattacks targeting the healthcare and insurance industries have been on the rise, and the Aflac incident is expected to serve as a wake-up call for the entire industry's security systems. Industry experts generally believe that strengthening security training for internal employees and enhancing real-time monitoring systems will be crucial in the future.
