U.S. insurance giant Aflac has confirmed a major data breach that compromised the personal and health information of approximately 22.6 million customers. The company, which initially disclosed a cyberattack in June without specifying the number of victims, began notifying affected individuals earlier this week.
The extensive breach involved hackers stealing a wide array of sensitive data. According to a filing with the Texas attorney general, the stolen information includes customer names, dates of birth, home addresses, government-issued identification numbers (such as passports and state ID cards), driver's license numbers, and Social Security numbers. Crucially, medical and health insurance information was also compromised.
In a separate filing with the Iowa attorney general, Aflac indicated that the cybercriminals responsible for the attack "may be affiliated with a known cyber-criminal organization." Federal law enforcement and third-party cybersecurity experts have suggested that this group might have been broadly targeting the insurance industry.
While Aflac did not publicly name the group, it is widely believed to be Scattered Spider. This amorphous collective of primarily young, English-speaking hackers was known to be targeting the insurance sector around the time of the breach, making them a likely candidate for the perpetrators Aflac referred to.
Aflac, which states it has around 50 million customers on its official website, did not respond to a request for comment regarding the incident. The company is one of several insurance providers that have experienced cyberattacks around the same period, with similar data breaches reported at Erie Insurance and Philadelphia Insurance Companies.
