Insurance company Aflac said a “sophisticated cybercrime group” breached its systems and may have stolen data.
The Georgia-based company published a statement and notified the Securities Exchange Commission (SEC) on Friday, explaining that the incident was initially identified on June 12.
The intrusion was stopped “within hours” and no business functions were affected by ransomware, Aflac said. But the company admitted that there were files stolen during the incident and said officials are determining the total number of affected individuals.
The potentially impacted files contain information on claims, health information, Social Security numbers and other personal data of “customers, beneficiaries, employees, agents, and other individuals in its U.S. business.” The company said it can still “underwrite policies, review claims, and otherwise service our customers as usual.”
Aflac did not respond to requests for comment but explained in a press release that the attack is something “many insurance companies are currently experiencing.”
“This was part of a cybercrime campaign against the insurance industry,” the company said, adding that the hackers “used social engineering tactics to gain access to our network.”
A source working with Aflac on the incident explained explained that the threat actors did not identify themselves but the characteristics of the attack bear the hallmarks of Scattered Spider, a loosely affiliated group of English-speaking cybercriminals known for gaining access to major companies by posing as IT workers.
Google warned earlier this week that Scattered Spider had recently shifted from attacking large retail companies to targeting the insurance industry.
Erie Insurance and the Philadelphia Insurance Companies each published notices this week about cyberattacks. A major Swedish insurance firm also was allegedly attacked by cybercriminals this week who took down the company’s website.
Charles Carmakal, the chief technology officer of Mandiant, previously told Recorded Future News that there is more than one U.S.-based insurance company that has been attacked and noted that the targeting of the insurance industry began around a week and a half ago.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers,” said John Hultquist, chief analyst at Google.
Last week, Google published a report about Scattered Spider tricking companies into giving them widespread access to a popular Salesforce tool, allowing them to steal sensitive data and move through other parts of the organizations.
Aflac created a phone line for those concerned that their data may have been accessed and is providing two years of identity theft protection to anyone who calls.
In 2023, Aflac reported a data breach in Japan that affected 1.3 million customers holding cancer-related insurance policies.
Aflac is one of the largest insurance companies in the U.S. and Japan, reporting a total 2024 revenue of $18.9 billion. In the SEC filing, the company said the “full scope and potential ultimate impact” on their finances is unknown.
Recorded Future
Intelligence Cloud.
Learn more.
