One of the most significant data breaches of 2025 has now come fully into focus—and the scale is staggering.
Columbus, Georgia–based insurance giant Aflac has confirmed that a cyberattack discovered in June 2025 ultimately exposed the sensitive personal and health information of approximately 26.5 million individuals, making it one of the largest insurance-sector breaches on record.
Aflac initially reported the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) on August 8, 2025, using a placeholder estimate of just 500 affected individuals. After several months of forensic investigation, the company has since acknowledged the true scope of the breach—and begun notifying impacted individuals.
A Massive Breach at a Global Insurance Leader
Aflac is a Fortune 500 company specializing in supplemental health insurance, covering medical expenses not paid by primary insurers. With operations in the United States and Japan, the company serves approximately 50 million customers worldwide.
On December 19, Aflac clarified that it is now notifying about 22.65 million people whose data was confirmed stolen during the breach. State-level disclosures—including legally required notifications filed in Texas and Iowa—paint a concerning picture of the types of information exposed.
According to those disclosures, the compromised data may include:
- Names and contact information
- Dates of birth
- Social Security numbers
- Tax identification numbers
- Health information and medical record numbers
- Dates of service with medical providers
- Health insurance ID numbers
This combination of personally identifiable information (PII) and protected health information (PHI) creates a high risk of identity theft, medical fraud, and long-term financial harm for affected individuals.
Signs of a Coordinated Attack on the Insurance Industry
Notably, Iowa’s breach notification included a warning that the unauthorized actor “may be affiliated with a known cyber-criminal organization” and that federal law enforcement and third-party cybersecurity experts believe the group has been actively targeting the insurance industry at large.
That assessment aligns closely with a broader hacking campaign observed this spring—one widely attributed to the cybercriminal group known as Scattered Spider.
Over the same period, other major U.S. insurers were also breached, including:
- Erie Insurance Group (Pennsylvania)
- Philadelphia Insurance Companies
Like the Aflac incident, these attacks involved data theft without file encryption, suggesting a deliberate shift away from traditional ransomware deployment. While formal attribution has not yet been confirmed, the timing, techniques, and sector focus strongly suggest a single threat actor behind all three incidents.
Who Is Scattered Spider?
Scattered Spider is a highly adaptive threat group known for targeting one industry at a time, often focusing on large, high-value organizations. Prior to its apparent pivot to insurance, the group targeted the retail sector, with high-profile attacks including:
- Marks & Spencer, Co-op, and Harrods in the UK
- Victoria’s Secret and United Natural Foods in the U.S. (a key supplier to Whole Foods)
According to the Google Threat Intelligence Group, Scattered Spider has now shifted its attention to the insurance industry. Additional warnings from ReliaQuest indicate that the group is also targeting IT service providers and managed service providers (MSPs) as a way to compromise downstream clients—significantly expanding the potential blast radius of future attacks.
Google researchers have noted that recent insurance-sector intrusions display the hallmarks of a targeted Scattered Spider campaign, even though ransomware has not yet been deployed.
A Tactical Shift: Data Theft Over Ransomware
Historically, Scattered Spider has followed a familiar playbook: breach networks, exfiltrate sensitive data, and then deploy ransomware to maximize leverage. In these recent insurance-sector attacks, however, ransomware has been notably absent.
There are two likely explanations:
- Early detection: Security teams may have disrupted the attacks before ransomware could be deployed.
- Strategic evolution: The group may be intentionally shifting toward data theft and extortion alone, reducing operational risk while maintaining significant leverage over victims.
Either scenario underscores a troubling reality: preventing ransomware alone is no longer enough. Data exfiltration has become a primary objective, not just a precursor to encryption.
What This Means for Insurers—and Their Partners
While the specific perpetrator behind the Aflac breach has not been officially confirmed, one conclusion is unavoidable: the insurance industry is under active, targeted attack.
Insurers—and the vendors and service providers that support them—should assume heightened risk and act accordingly. This includes:
- Strengthening identity and access controls
- Monitoring for lateral movement and data exfiltration
- Hardening third-party and MSP relationships
- Improving detection and response capabilities across hybrid and legacy environments
At Enfortra, we consistently see that large, complex enterprises with distributed systems and third-party dependencies are especially vulnerable to these kinds of targeted campaigns.
The Aflac breach is not an isolated event—it is a warning. As threat actors evolve their tactics, organizations must evolve their defenses just as quickly. For insurers, the question is no longer if further attacks will occur, but when.
