According to ZDNet, Aflac has completed its review of a June cyberattack, revealing that personal data for roughly 22.65 million customers, employees, and agents was stolen. The breach, discovered on June 12 and disclosed on June 20, exposed names, contact info, claims and health information, and Social Security numbers. The sophisticated attack is attributed to the notorious ransomware group Scattered Spider, which Google warned was pivoting to target insurance companies just days before Aflac’s announcement. In response, Aflac is offering 24 months of free credit monitoring, identity theft protection, and medical fraud protection through CyEx Medical Shield. The enrollment deadline is April 18, 2026, and you can sign up by calling 1-855-361-0305.
Scattered Spider’s Playbook
Here’s the thing about Scattered Spider: they’re not just some kids in a basement. This group is known for highly effective, low-tech social engineering. We’re talking about calling up company help desks, pretending to be an employee in a panic, and tricking support agents into resetting passwords or granting access. They combine that with SIM swapping to bypass two-factor authentication sent via text. Once they’re in, they use legitimate remote access tools to move around and steal data. A detailed CrowdStrike report outlines their whole arsenal. Their MO is to hold data for ransom, threatening to dump it publicly if they don’t get paid. So the fact that Aflac’s incident notice doesn’t mention a ransom payment suggests they either contained it or refused to pay. But the data is still out there.
Why Insurance Companies Are Targets
You might wonder, why insurance? It’s not exactly sexy tech. But think about what they have: mountains of incredibly sensitive data. We’re not just talking credit card numbers here. This is full dossiers with your Social Security number, your health conditions, your financial dependents, and your employment history. It’s a goldmine for identity theft, medical fraud, and highly targeted phishing schemes. As CyberScoop reported with Google’s warning, these groups focus on a sector at a time. They develop specialized tactics and social engineering scripts that work on that industry’s specific workflows and pain points. For insurers with large call centers, that human layer becomes the weakest link. It’s a brutal reminder that in cybersecurity, your data is only as secure as your most gullible employee.
What You Should Do Right Now
First, don’t panic, but do act. If you’ve ever had a policy with Aflac, worked for them, or were listed as a beneficiary, you should assume your data was part of this breach. The official release and company update are light on specifics about who exactly got what data exposed. That means you need to be proactive. Call that number and enroll in the free CyEx service. It’s not a magic shield, but 24 months of monitoring is a crucial early-warning system. Second, go beyond credit. Check your insurance statements and explanation of benefits (EOBs) for medical services you never received. Medical fraud is a huge, messy problem that can affect your future care and premiums. Finally, this is a wake-up call to lock down your other accounts. Use a password manager, enable two-factor authentication everywhere (and use an app, not SMS), and be hyper-skeptical of any unsolicited communication claiming to be from Aflac or any financial institution. They have your real details now, so the phishing attempts will be convincing.
The Broader Takeaway
Look, breaches are inevitable at this scale. But the response matters. Aflac’s offer of 24 months of protection is becoming the standard, but is it enough? Social Security numbers don’t expire. Health history is forever. The protection service ends in 2026, but your data will be floating around on dark web forums for decades. This incident highlights a systemic issue: we’ve centralized our most sensitive personal information into these massive corporate databases that are irresistible targets. And while companies scramble to harden their digital perimeters, the attackers just call the help desk. So what’s the solution? Honestly, it’s messy. Stronger regulations, maybe. A move away from using SSNs as universal identifiers, definitely. But for now, it’s on us to be vigilant. Sign up for the monitoring, freeze your credit, and assume your data is already in the wild. Because for 22.65 million people, it probably is.
