The Aflac Breach: 22.6 Million Records, Six Months Late

The Aflac Breach: 22.6 Million Records, Six Months Late

By David V. | Category Breaches | 6/19/2026

Aflac, the insurance company known for its duck mascot, confirmed that hackers stole personal and health data belonging to roughly 22.65 million people: customers, beneficiaries, employees, and agents. The stolen data includes Social Security numbers, dates of birth, driver's license and government ID numbers, home addresses, and health insurance details, including claims data. tomsguide

The breach happened in June. Aflac told the public this week.

What Happened, And When

Hackers broke into Aflac's network in June 2025 and pulled the data out before the company could stop them. Aflac caught the intrusion and shut it down within hours. The company filed an 8-K with the SEC at the time and said it didn't believe ransomware was involved. ProbablyPwned + 2

What Aflac didn't say at the time: how many people were affected, or what data the attackers actually took.

Aflac finished its investigation on December 4. Lawyers then spent two and a half weeks figuring out which files legally required notification. Aflac filed with regulators and started notifying people on December 22, six months after the breach happened. ProbablyPwnedProbablyPwned

A Senate committee noticed the gap. Senators Cassidy and Hassan have already sent Aflac a request for information about the delay. Breached

How The Attackers Got In

No ransomware. No malware. Someone picked up the phone. techradar

Security researchers tie the attack to Scattered Spider (also tracked as Octo Tempest or UNC3944). The group built its reputation on talking its way past security teams instead of breaking through firewalls. SIM-swap a phone number. Call a help desk. Convince someone you're an employee who got locked out.

Scattered Spider ran the same playbook against MGM Resorts in 2023. That breach cost MGM an estimated $100 million. In 2025, the group turned its attention to insurers.

Aflac Wasn't The Only Target

A law firm tracking the campaign confirmed Scattered Spider hit multiple insurance companies in the same wave, including Erie Insurance and Philadelphia Insurance Companies. Allianz Life shows up in the same campaign too. techradartechradar

Why insurers? They hold massive amounts of valuable customer data, and attackers can often get in by manipulating an employee rather than exploiting a software bug. Nationalcioreview

If you're a customer of any large insurance company, pay attention to this story even if your insurer hasn't announced anything yet.

The Part Most Articles Skip

A system didn't fail here. A person did, because someone convinced them to hand over access.

Scattered Spider has also started deploying ransomware in double-extortion attacks, encrypting data on top of stealing it. Aflac avoided that outcome. The initial entry point looks the same either way. PauBox

Experts point to outdated MFA and the absence of phishing-resistant authentication as the real gap. Not a missing patch. A login process that trusts the wrong things. Nationalcioreview

What To Do If You're Affected

If you're an Aflac customer, employee, beneficiary, or agent, do these five things.

  1. Check your mail and inbox. Aflac started sending notification letters to the 22.6 million affected individuals. ProbablyPwned
  2. Sign up for the monitoring. Aflac is offering two years of free identity protection. Use it. Don't let the email sit. ProbablyPwned
  3. Watch for medical identity theft and tax fraud. This breach included SSNs, government IDs, and health insurance data together. That combination enables more than credit card fraud.
  4. Hang up on "Aflac" if they call asking you to verify your SSN. Scammers will use this breach as cover for follow-up calls. Real Aflac reps don't need your SSN read back to you over the phone.
  5. Freeze your credit. SSNs and dates of birth are now circulating. A freeze stops new accounts from opening in your name.

Why This Keeps Happening

Analysts estimate the financial fallout, remediation, legal fees, settlements, could reach hundreds of millions of dollars. The cost that doesn't show up on a balance sheet: every Aflac customer now has to wonder whether the company that holds their medical records can keep them safe. Breached

Scattered Spider didn't write custom malware. They didn't find a zero-day. They made one phone call. Until insurers treat their help desks as part of the attack surface, this keeps happening.

🔑 Key Terms

Scattered Spider — A cybercrime group (also tracked as Octo Tempest or UNC3944) that specializes in social engineering: SIM-swapping, phishing, and help desk manipulation. Linked to the 2023 MGM Resorts breach and the 2025 insurance industry attacks.

Social Engineering — An attack that targets people instead of systems. The attacker convinces an employee to grant access rather than exploiting a software flaw.

8-K Filing — A report public companies must file with the SEC to disclose major events, including data breaches.

SIM-Swapping — Tricking a phone carrier into moving a victim's number to a device the attacker controls, often to intercept two-factor codes.

Double Extortion — A ransomware tactic where attackers steal data and encrypt it, then threaten to leak it unless the victim pays.

📚 Sources

TechCrunch — US insurance giant Aflac says hackers stole personal and health data of 22.6 million people
TechRadar Pro — Aflac reveals personal data of 22.6 million people stolen in cyberattack
ProbablyPwned — Aflac Confirms 22.6 Million Affected in June Data Breach
Tom's Guide — 22.6 million hit in massive Aflac data breach