On June 20, Aflac notified the SEC of unauthorized access to its network:
On June 12, 2025, Aflac Incorporated, a Georgia corporation (the “Company”), identified unauthorized access to its network. The Company promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours. The Company’s business remains operational, and its systems were not affected by ransomware. The Company continues to serve its policyholders as it responds to this incident and can underwrite policies, review claims, and otherwise service customers as usual. The Company has engaged leading third-party cybersecurity experts to support the Company’s response to the incident.
The Company has commenced a review of potentially impacted files. That review is in its early stages. The Company is unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. The Company anticipates notifying regulators and providing appropriate notifications to individuals affected by this incident. Individuals will be offered free credit monitoring and identity theft protection services.
At this time, the full scope and potential ultimate impact on the Company are not known.
Aflac is the third U.S. insurer to recently announce any cyberattack, and may be the work of Scattered Spider. Google’s Threat Intelligence Group had sounded a warning this week, noting that it had become aware of multiple intrusions in the U.S. bearing the hallmarks of Scattered Spider activity.
“We are now seeing incidents in the insurance industry. Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” John Hultquist wrote.
Prior to Aflac’s submission, Erie Insurance announced a “network outage” that occurred on June 17. According to their statement and updates, they did not find any ransomware involved. Erie’s statements do not name any ransomware or extortion gang and do no not disclose whether they received any extortion demands.
Days later, Philadelphia Insurance Companies also announced a “network outage” impacting their systems affecting their phone and email systems, as well as customer access to online applications. Their incident and FAQ pages indicate that no ransomware was involved in their incident.
Now Aflac has reported an incident occurring during the same few days as the other two insurers. That alone makes it more likely that the same threat actors are involved, as does their report that ransomware was not involved. The notice on their website strongly suggests they suspect Scattered Spider:
This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry.
We have engaged leading third-party cybersecurity experts to support our response to this incident. While the investigation remains in its early stages, in the spirit of transparency and care for our customers, we are sharing that our preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to our network.
A source with knowledge of Aflac’s incident tells DataBreaches that although Aflac does suspect the attack is the work of Scattered Spider because of the characteristics of the attack, it couldn’t be sure at this point because the attackers did not identify themselves.