Insurance giant Aflac has confirmed that a major data breach earlier this year compromised the personal information of approximately 22.65 million individuals, making it one of the largest insurance-related cyber incidents of 2025.
The Columbus, Georgia–based company said it detected suspicious activity on its U.S. network on June 12 and publicly disclosed the breach on June 20. According to Aflac, the intrusion was carried out by a sophisticated cybercriminal group as part of a broader campaign targeting the insurance sector.
What Information Was Stolen
Following a months-long forensic investigation, Aflac determined that a wide range of sensitive data may have been accessed. The exposed information includes:
- Full names and home addresses
- Social Security numbers
- Dates of birth
- Driver’s license and other government-issued ID numbers
- Medical and health insurance information
The affected population includes customers, beneficiaries, employees, insurance agents, and other individuals connected to the company.
Aflac said the attack did not involve ransomware and did not disrupt its business operations. The company reported that it moved quickly to contain the incident and engaged external cybersecurity experts to assist with the investigation and remediation.
Notifications and Support for Victims
In late December, Aflac began notifying affected individuals after completing its review of the compromised files. The company is offering 24 months of free credit monitoring, identity theft protection, and medical fraud protection services to those impacted.
While Aflac stated it is not currently aware of any misuse of the stolen data, it urged individuals to remain alert for signs of identity theft or fraud, including unusual financial or medical billing activity.
Possible Industry-Wide Cyber Campaign
Aflac did not identify the group responsible for the breach but described the incident as part of a coordinated campaign against insurance companies. Cybersecurity analysts note that the timing aligns with warnings from Google’s Threat Intelligence Group earlier this year about increased activity by the Scattered Spider hacking group, which has been linked to attacks on insurers and other large enterprises.
The breach adds to a growing list of high-profile cyber incidents in 2025, underscoring ongoing concerns about data security in industries that handle large volumes of sensitive personal and health information.
As regulatory scrutiny and litigation risks continue to rise, the Aflac incident is likely to intensify calls for stronger cybersecurity standards across the insurance sector.
