TL;DR: Aflac (the duck-mascot insurance giant) confirmed hackers stole data on 22.7 million people in June 2025. The breach included Social Security numbers, health information, passport numbers, and insurance claims data. Scattered Spider, the same crew behind the MGM Resorts hack, used social engineering to con their way in. Aflac didn't finish investigating until December 4, 2025. Notification letters went out December 23. If you have an Aflac policy, enroll in their free identity protection before April 18, 2026.

How a Phone Call Broke a Fortune 500 Company

On June 12, 2025, Aflac detected "suspicious activity" on its network. Within hours, the company says it contained the intrusion. But those hours were enough.

The attackers, linked to Scattered Spider (also known as Octo Tempest or UNC3944), didn't use sophisticated malware. They didn't exploit zero-days. They called. And someone answered.

Scattered Spider's playbook: impersonate IT staff, convince a real employee to reset a password or bypass multi-factor authentication, then walk right in with legitimate credentials. Against Aflac, it worked.

Aflac says this wasn't ransomware. The attackers didn't encrypt systems and demand payment. They grabbed what they could and got out. That distinction matters for Aflac's operations. For the 22.7 million people whose data was stolen, it's irrelevant.

What Was Stolen

Aflac's breach notices confirm the attackers accessed "multiple Aflac systems." The data compromised includes:

Personal Identifiers

Names, dates of birth, Social Security numbers, driver's license numbers, state ID numbers.

Identity Documents

Passport numbers and government-issued ID information.

Health Information

Medical records, health insurance details, and insurance claims data. Protected under HIPAA.

Contact Information

Addresses, phone numbers, email addresses.

The victims include Aflac customers, beneficiaries, employees, and insurance agents across the company's U.S. business. When you file a health insurance claim, that data lives forever in corporate databases. Now it lives on hacker forums too.

Six Months to Tell Anyone

Here's the timeline that should make you angry:

  • June 12, 2025: Attackers breach Aflac's systems
  • June 12, 2025: Aflac detects the intrusion and "contains" it within hours
  • June 20, 2025: Initial disclosure to regulators (vague)
  • December 4, 2025: Investigation completed, full scope confirmed
  • December 23, 2025: First notification letters to victims

Six months. For half a year, 22.7 million people had no idea their SSNs, passports, and medical records were circulating in the cybercriminal ecosystem. Six months of potential identity theft, tax fraud, and targeted scams before anyone got warned.

Aflac's defense: the investigation took time. The reality: victims deserve faster notification. When attackers have your SSN, every day of delay is another day you can't protect yourself.

Scattered Spider: The Insurance Industry's Nightmare

Google Threat Intelligence Group and federal law enforcement identified this as part of a coordinated campaign against the U.S. insurance industry. Aflac wasn't alone.

The Scattered Spider rampage hit insurers throughout summer 2025:

  • Erie Insurance: Systems down for 10+ days starting June 7, 2025
  • Philadelphia Insurance Companies: Breach detected June 9, 2025
  • Aflac: 22.7 million records stolen June 12, 2025
  • Allianz Life: 1.4 million affected via vendor compromise

The FBI has been warning about Scattered Spider since 2023. The group pulled off the MGM Resorts hack that shut down casinos and cost over $100 million. They social-engineered Caesars into paying $15 million in ransom. And they keep winning.

Why? Because their weapon isn't malware. It's human trust. One convincing phone call defeats every firewall ever built.

If You're an Aflac Customer

Enroll by April 18, 2026

Aflac is offering 2 years of free identity protection and credit monitoring. The enrollment deadline is April 18, 2026. Don't miss it.

Freeze Your Credit Now

Don't wait for credit monitoring. Freeze your credit at Equifax, Experian, and TransUnion. It's free and prevents anyone from opening accounts in your name.

File an IRS Identity Protection PIN

With your SSN exposed, tax fraud is a real risk. Request an IP PIN from the IRS to prevent fraudulent tax returns filed in your name.

Watch for Targeted Scams

Attackers know your insurance details. Expect convincing phishing emails claiming to be from Aflac, Medicare, or your healthcare provider. Verify everything through official channels.

The HIPAA Question

Health insurance data is protected under HIPAA. That law requires "covered entities" to notify affected individuals within 60 days of discovering a breach. Aflac discovered this breach June 12. Letters went out December 23, over 190 days later.

The company will argue the 60-day clock started December 4, when the investigation concluded. That's a legal interpretation, not a moral one. Your medical records were in criminal hands for six months before you knew to protect yourself.

Whether HHS investigates remains to be seen. But the delay pattern is becoming standard: discover fast, notify slow, hope nobody counts the days.

The Bottom Line

A group of social engineers (many of them young adults who learned their craft on Discord) talked their way into one of America's largest insurance companies. They walked out with 22.7 million people's most sensitive data: SSNs, passports, medical records, insurance claims.

Aflac detected the breach in hours but took six months to tell victims. That's six months of identity theft protection you didn't know you needed.

If you're an Aflac customer, policyholder, beneficiary, or agent: your data is out there. Freeze your credit, enroll in monitoring, and stay paranoid. The duck couldn't protect you. Now you have to protect yourself.

References

  1. TechCrunch - Aflac says hackers stole personal and health data of 22.6 million people (December 2025)
  2. The Record - More than 22 million Aflac customers impacted by June data breach (December 2025)
  3. WebProNews - Aflac Data Breach by Scattered Spider Exposes 22.6 Million Records
  4. Insurance Journal - Insurance Sector Should Be on the Lookout for 'Scattered Spider' Hackers (June 2025)
  5. Security Affairs - Aflac confirms June data breach affecting over 22 million customers