More than 22 million Aflac customers impacted by June data breach

A data breach in June exposed the information of more than 22 million Aflac customers, according to a new statement from the company. 

The Georgia-based insurance giant published a statement on Friday about the conclusion of a months-long investigation into a cybersecurity incident announced earlier this year. 

The company previously warned the Securities Exchange Commission (SEC) that while it was able to stop a hacker intrusion “within hours,” some files were stolen by the cybercriminals. 

Aflac reiterated that it was not affected by ransomware. The company has begun notifying state regulators about the attack and sending breach notification letters to victims. 

Officials in Texas said more than 2 million residents of the state were affected and in total, about 22.7 million individuals had information stolen. 

The company faced no operational issues as a result of the cyberattack but the documents stolen contained information on insurance claims, health data, Social Security numbers and other personal details of “customers, beneficiaries, employees, agents, and other individuals in its U.S. business.” 

Federal law enforcement was notified of the attack and cybersecurity experts were hired to deal with the incident. 

The letters say the investigation concluded on December 4 and victims are being given access to two years of identity protection services. The letters said the deadline to enroll in the services ends on April 18, 2026.

The incident took place amid a wider campaign of attacks targeting the insurance industry by an organization known as Scattered Spider, a loosely affiliated group of English-speaking cybercriminals known for gaining access to major companies by posing as IT workers. Erie Insurance, the Philadelphia Insurance Companies and Scania Financial Services each reported cyberattacks at the time. 

Since the attacks, law enforcement has taken down a leak site used by the group and two members were arrested and charged in the U.K. A Justice Department complaint unsealed in September revealed that the Scattered Spider cybercriminal operation was able to extort at least $115 million from dozens of victims over the last three years.