Aflac Data Breach Exposes Personal and Health Information of 22.6 Million Customers
In June 2025, Aflac, a leading U.S. insurance provider, reported a significant data breach. Initially, the company disclosed that hackers had accessed customers’ personal and health information, including Social Security numbers, but did not specify the number of individuals affected.
On December 23, 2025, Aflac confirmed that approximately 22.65 million people had their data compromised in this cyberattack. The stolen information encompasses customer names, dates of birth, home addresses, government-issued identification numbers (such as passports and state IDs), driver’s license numbers, Social Security numbers, and medical and health insurance details.
In a filing with the Iowa attorney general, Aflac indicated that the cybercriminals responsible for the breach might be linked to a known cyber-criminal organization. Federal law enforcement and third-party cybersecurity experts have suggested that this group has been targeting the insurance industry at large.
During the period of the breach, a hacking collective known as Scattered Spider was actively targeting the insurance sector. This group, primarily composed of young English-speaking hackers, is likely the entity Aflac referred to in its filings.
Aflac, which serves around 50 million customers, has not provided additional comments regarding the breach.
This incident is part of a broader trend of cyberattacks on the insurance industry. Around the same time, other companies, including Erie Insurance and Philadelphia Insurance Companies, also experienced data breaches.
