Aflac's recent data breach has exposed sensitive personal and health-related information of over 22 million individuals, highlighting a systemic flaw in how the insurance industry protects sensitive data. The attackers used social engineering tactics to bypass traditional security controls, targeting employees directly.
What Happened
The breach occurred in June 2025, when Aflac's Japan subsidiary was hacked by threat actors who gained access to its systems and stole personal and bank account information. The company has confirmed that the attackers accessed a trove of sensitive data, including Social Security numbers, medical information, and government-issued ID numbers.
Aflac reported the breach using a placeholder figure of 500 affected individuals, but later updated the number to 22.65 million. The company is now investigating the incident with the help of external cybersecurity experts and has alerted Japanese authorities to the breach.
Background and Context
The Aflac data breach is part of a broader campaign targeting insurance companies across the United States. In June 2025, Aflac disclosed another data breach amid a wave of attacks on insurance companies, saying that the attackers may have gained access to documents containing sensitive information about customers, beneficiaries, employees, agents, and other individuals.
The Scattered Spider hacking group is suspected to be behind the breach. This group has been linked to several high-profile breaches in the past, including those at MGM Resorts, DoorDash, Caesars, MailChimp, Twilio, Coinbase, Riot Games, and Reddit. The group's tactics involve targeting employees directly through social engineering attacks.
Why it Matters
The Aflac breach highlights a systemic flaw in how the insurance industry protects sensitive data. Legacy MFA systems are increasingly ineffective against modern phishing and social engineering attacks. As attackers focus more on exploiting human error than software vulnerabilities, organizations holding valuable data must rethink authentication and identity security from the ground up.
The breach also underscores the importance of robust cybersecurity measures for companies handling sensitive customer information. Aflac's failure to prevent the breach has triggered over 20 lawsuits and federal investigations into its data protection practices.
What Comes Next
Aflac is now offering two years of free identity protection to affected individuals, but the long-term consequences of the breach are still unclear. The incident serves as a warning to companies in the insurance industry to prioritize robust cybersecurity measures and rethink their authentication and identity security practices.
Key Facts
- Aflac's Japan subsidiary was hacked by threat actors who gained access to its systems and stole personal and bank account information.
- The breach occurred in June 2025, affecting over 22 million individuals.
- The attackers accessed a trove of sensitive data, including Social Security numbers, medical information, and government-issued ID numbers.
- Aflac is now investigating the incident with the help of external cybersecurity experts.
- The company has alerted Japanese authorities to the breach and is offering two years of free identity protection to affected individuals.