American insurance giant Aflac has disclosed a cyberattack on its U.S. network, part of what it describes as a broader campaign targeting the insurance sector. The intrusion was detected on 12 June and stopped within hours, with no ransomware deployed and no disruption to operations.
The company says it remains fully operational and continues to underwrite policies and process claims. However, preliminary findings suggest that a sophisticated cybercrime group used social engineering tactics to gain access.
Aflac says it has engaged external cybersecurity experts to support its response and containment efforts.
While the investigation is still in its early stages, the insurer says affected files may include sensitive data such as Social Security numbers, health and claims information, and other personal details tied to customers, agents, employees, and beneficiaries.
Aflac has opened a dedicated call center. It is offering impacted individuals 24 months of free credit monitoring, identity theft protection, and Medical Shield. The call center will remain available through June.
“We regret that this incident occurred,” the company said in a statement, pledging continued transparency and support as the investigation unfolds.
Insurance in the Crosshairs
“There is definitely a stream of insurance company targeting,” says Lawrence Pingree, VP of Dispersive. “My assumption is that this is due to the plethora of data that these entities hold, and additional context that can be gleaned for other types of attacks seem attractive to the initial access brokers. But for sure it’s a bit of a guessing game until they start using the data.”
Stopped in Hours
It’s impressive that this attack was executed and stopped within a few hours, says Kumar Saurabh, CEO & Founder of AirMDR. He says small and medium-sized businesses are sitting ducks. Most lack the tools needed to detect an attack in real time, assuming they’re even collecting the right logs or telemetry to begin with. Many are essentially flying blind. And even when some data is available, they often don’t have the necessary detection rules, staff capacity, or mature security operations to investigate alerts and respond within hours.
Saurabh adds that if a company with fewer than 1,000 employees were targeted in a similar way, there’s a better than 95% chance it wouldn’t detect or respond to the breach in time. This, he says, is why the cybersecurity industry needs to shift its focus, from serving just the top 1% of enterprises to delivering high-quality detection and response to the 80% of businesses with fewer than 1,000 employees.
Targeting the Human Element
Ted Miracco, CEO or Approov adds that Aflac’s swift response and transparent disclosure following the June 12 breach are both commendable if somewhat unusual. “The use of social engineering to gain network access is part of a growing trend we’re seeing across the insurance and broader financial services sector.”
Miracco says these attacks are often aided by agentic AI, as attackers are targeting the human element, at scale, to bypass perimeter defenses and exfiltrate sensitive data such as health records and social security numbers. “This reinforces the urgent need for a layered security approach, particularly in mobile-first environments, where phishing-resistant authentication, runtime app protection, and robust API shielding are most essential.
“As cybercriminals evolve their tactics, companies will adopt dynamic defenses that protect both infrastructure and the entire app-to-API ecosystem. Aflac’s case should be a wake-up call to revisit how we defend customer data,” Miracco says.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.