U.S. insurance giant Aflac confirmed a data breach on Tuesday it has begun notifying 22.65 million customers after hackers stole their personal and health information in a June cyberattack.
In June, Aflac disclosed the data breach, revealing that hackers accessed customers’ personal information, including Social Security numbers and health information, but did not specify the number of victims at that time. The breach exposed sensitive details for a substantial portion of the company’s customer base.
A filing with the Texas attorney general outlined the scope of the stolen data. It included customer names, dates of birth, home addresses, government-issued ID numbers such as passports and state ID cards, driver’s license numbers, Social Security numbers, and medical and health insurance information. This comprehensive set of records heightens risks associated with the unauthorized access.
In a separate filing with the Iowa attorney general, Aflac provided details on the perpetrators. The company stated that the cybercriminals responsible for the breach “may be affiliated with a known cyber‑criminal organization; federal law enforcement and third-party cybersecurity experts have indicated that this group may have been targeting the insurance industry at large.” These disclosures point to coordinated efforts against the sector.
Scattered Spider, an amorphous collective of primarily young English‑speaking hackers, was targeting the insurance industry at the time of the breach. Aflac’s description aligns with activities attributed to this group.
| Metric | Details |
| Total individuals affected | 22,654,000 |
| Percentage of customers | ~45% of Aflac’s total base |
| Breach discovery date | June 12, 2025 |
| Notification date | December 19 – 23, 2025 |
| Suspected threat actor | Scattered Spider (UNC3944) |
| Regulatory filings | Texas, Iowa, and California AG Offices |
