Breach in the Insurance Sector: Aflac Hit by Suspected Scattered Spider Intrusion

Aflac, one of the largest supplemental insurance providers in the United States, disclosed a cybersecurity breach that took place on June 12, 2025. The incident raised critical concerns regarding data security in the financial and healthcare insurance sectors, especially given the high sensitivity of the data Aflac manages for its millions of policyholders.

Severity Level: High

How The Breach Happened

The attackers used advanced social engineering techniques to gain unauthorized internal access.
Key Points:

• No malware or ransomware was deployed, pure exfiltration attack.
• Attackers posed as tech support personnel, likely contacting employees directly to extract credentials, exploit trust, and reset MFA for high-privilege users.
• Analysts believe the attack did not involve supply chain vendors.
• The breach vectors and modus operandi align closely with known operations (SIM swapping, MFA fatigue bombing, and phishing) by the threat actor Scattered Spider.

Data Stolen During The Breach

Aflac’s filing with the SEC confirmed exposure of Personally Identifiable Information (PII). This includes:

• Health insurance claims and associated medical data
• Social Security Numbers (SSNs)
• Customer, beneficiary, agent, and employee personal information

The full extent is still under investigation due to the wide data distribution across Aflac systems.

Lessons Learned

• Call Center Access Can Be the Weakest Link: Threat actors likely bypassed MFA by manipulating support agents, highlighting the need for strong verification protocols at help desks. Organizations must treat non-technical social engineering routes as high-risk vectors.
• Traditional MFA Can Be Defeated: Scattered Spider is known for exploiting MFA fatigue, SIM swapping, and socially engineered resets. MFA must be hardened with adaptive authentication, geo-behavioral monitoring, and FIDO2-compliant phishing-resistant methods.

Recommendations

1. Configure alerting on unusual support requests, such as off-hours login attempts or support tool usage.
2. Audit and secure remote access tools (e.g., AnyDesk, TeamViewer) commonly abused in impersonation attacks.
3. Maintain a rapid communication plan for informing employees and customers if impersonation attempts are suspected.
4. Encrypt all PII and medical data at rest and in transit, even inside internal networks.
5. Enable data loss prevention (DLP) to monitor for unauthorized data access or exfiltration.
6. Require employee re-verification for critical support requests (e.g., credentials reset, access elevation).
7. For Individuals Affected by the Aflac Breach:
   • Take advantage of the two-year monitoring and protection program offered by Aflac. These services typically include credit monitoring, identity theft detection, and recovery support.
   • Routinely check bank statements, insurance policy activity, and credit bureau reports for any unauthorized transactions, unusual claims, or new account openings.
   • Remain alert to emails, calls, or messages that request personal or financial information. These could be phishing attempts exploiting stolen data from the breach. Avoid clicking on unfamiliar links and always verify the sender’s identity.

Source:

• https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/
• https://newsroom.aflac.com/2025-06-20-Aflac-Incorporated-Discloses-Cybersecurity-Incident

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.