Insurance provider Aflac has begun notifying approximately 22.65 million individuals that their personal information was compromised during a cyber intrusion detected in June 2025.

The company identified suspicious activity on its U.S. network on June 12 and disclosed the incident publicly on June 20. While Aflac says the attack was quickly contained and did not disrupt operations, the subsequent investigation confirmed that a broad range of sensitive personal and medical data was accessed.

Although no ransomware was deployed and no confirmed misuse of the data has been identified to date, the scale of exposure places this incident among the most significant insurance-sector breaches of 2025.

The insurance industry has become a high-priority target for cybercriminals.

Insurers store extensive personally identifiable information (PII), medical data, and financial records that are valuable for identity theft, fraud, and extortion. In recent years, attackers have increasingly favored data theft over disruptive ransomware, prioritizing long-term monetization and stealth.

The Aflac breach occurred amid a broader campaign targeting insurance companies, suggesting coordinated threat activity rather than an isolated incident.

Aflac detected suspicious network activity on June 12, 2025, and attributed it to a sophisticated cybercrime group operating as part of a wider industry-focused campaign.

The company states it immediately contained the intrusion and engaged third-party cybersecurity specialists to support incident response. No file-encrypting ransomware was deployed, and business operations were not interrupted.

By late December, Aflac announced it had completed a review of the potentially impacted data and began notifying affected individuals, confirming that information linked to customers, beneficiaries, employees, agents, and related parties had been exposed.

Aflac has not released detailed technical indicators of compromise, but the incident appears to involve unauthorized access and data exfiltration rather than system disruption.

The compromised data may include:

The absence of ransomware suggests a breach model focused on data collection rather than immediate extortion, a pattern increasingly observed in sector-wide campaigns.

The scale and sensitivity of the exposed data significantly elevate identity theft and medical fraud risk.

Unlike passwords, many of the affected identifiers—such as SSNs and medical records—cannot be easily changed. Even if no immediate abuse is detected, stolen data can surface months or years later in fraud schemes or underground markets.

Aflac is offering 24 months of credit monitoring, identity theft protection, and medical fraud protection, but long-term vigilance will remain necessary for impacted individuals.

This incident highlights a shift in how large-scale breaches unfold.

Rather than encrypting systems and demanding ransom, attackers increasingly aim to quietly extract data from high-value industries. The lack of operational disruption can delay detection while still producing significant downstream harm.

For insurers, the breach reinforces the need for continuous monitoring, rapid detection, and sector-wide intelligence sharing.

Aflac did not name the responsible threat actor, but noted the breach was part of a campaign against the insurance industry.

This aligns with warnings from Google Threat Intelligence Group, which previously reported increased activity by the Scattered Spider against insurers during the same period. While attribution has not been confirmed, the timing and targeting are consistent with that activity.