Aflac reveals personal data of 22.6 million people stolen in cyberattack - here's what we know
Six months after breach, Aflac determines how many people were affected
- Aflac confirms personal data of 22.65 million individuals (SSNs, health info, claims) stolen in June 2025 breach
- Victims include customers, employees, agents; company now issuing notifications and offering support
- Scattered Spider suspected, also linked to attacks on Erie, Philadelphia Insurance, and Allianz Life
More than 22 million people were affected by the cyberattack which struck American insurance giant Aflac in summer 2025, the company has revealed.
“Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved,” the statement reads.
The company is now notifying everyone whose information, which includes customers’ claims, Social Security numbers, and health information, was stolen. The victims include company beneficiaries, employees, and agents.
Scattered Spider
In late June 2025, the company filed an 8-K report with the US Securities and Exchange Commission (SEC), saying that it identified unauthorized access to its network, which it contained “within hours”.
At the time, the company said it didn’t believe the attack was ransomware, but stressed that without a thorough investigation, it cannot be certain about the nature of the incident, or who the affected people are.
US law firm Maynard Nexsen also said in June 2025, “several insurance companies” were targeted by Scattered Spider, including Aflac, Erie Insurance, and Philadelphia Insurance.
“The threat actor, Scattered Spider, is now focusing on the insurance industry,” it was said in the announcement.
This included Allianz Life Insurance Company of North America (Allianz Life), which in July notified 1.4 million of its customers, financial professionals, and employees it had suffered the same fate, and lost personal information via a third-party CRM platform, to Scattered Spider.
Scattered Spider hackers are known to be financially motivated, with previous cyberattacks cyberattacks and intrusions at tech giants, casinos, and hotels.
Via TechCrunch
