- Aflac confirmed that personal information (Social Security numbers, medical information and accounts) of 22.65 million people was stolen in a hack that occurred in June 2025.
- Victims include customers, employees and agents. The company is currently sending out information and providing assistance.
- The “Absent-Minded Spider” suspect was also linked to attacks on Erie, Philadelphia Insurance and Allianz Life Insurance.
The cyberattack on US insurance giant Aflac in the summer of 2025 affected more than 22 million people, the company said.
“After reviewing the potentially affected files, we have determined that personal information of approximately 22.65 million people is involved,” the statement said.
The company is now notifying everyone whose information was stolen, including customers’ insurance claims, Social Security numbers and medical information. The victims include the beneficiaries of the company, its employees and agents.
scattered spiders
The company said it blocked unauthorized access to its network “within a matter of hours” and filed an 8-K report with the U.S. Securities and Exchange Commission (SEC) in late June 2025.
The company said at the time that it did not believe the attack was caused by ransomware, but stressed that without a thorough investigation it could not be certain about the nature of the incident or who was affected.
American law firm Maynard Nixon also announced in June 2025 that “several insurance companies”, including Aflac, Erie Insurance, and Philadelphia Insurance, were the targets of a Scattered Spider attack.
“As a threat actor, the Scattered Spider is currently focused on the insurance industry,” the statement said.
This also includes North American insurance company Allianz Life. In July, the company told Scattered Spiders that 1.4 million customers, financial professionals, and employees suffered the same fate and lost personal information through third-party CRM platforms.
The Scattered Spider hackers are believed to be financially motivated and have previously carried out cyberattacks and intrusions against major technology companies, casinos, and hotels.
For technical crisis
