Aflac

On June 6, 2026, Scattered Spider claimed responsibility for a breach at Aflac, one of America's largest supplemental insurance providers. Aflac serves approximately 22.7 million customers and employs over 13,000 people across the United States and Japan.

Scattered Spider is known for sophisticated social engineering attacks, often targeting helpdesks and IT support to gain initial access. They've previously hit major enterprises including MGM Resorts and Caesars Entertainment. Insurance companies represent high-value targets for the volume and sensitivity of data they maintain.

The specific data types have not been publicly confirmed. Supplemental insurance providers maintain extensive records: Social Security numbers, policy applications, claims histories, medical documentation supporting disability and illness claims, bank account information for premium payments and claim disbursements, and employment data linking policies to workplaces.

Aflac's products—disability insurance, cancer coverage, accident policies—require detailed health information. Claims processing involves documentation of diagnoses, treatments, and financial hardship. This creates comprehensive profiles of policyholders at their most vulnerable moments.

Millions of Americans who purchased insurance as a safety net for worst-case scenarios. Policyholders who filed claims—meaning they already experienced illness, injury, or disability—now face potential exposure of those records. Employees whose workplace benefits enrollment connected their employment to their health concerns.

Social Security numbers combined with insurance claims data enable sophisticated fraud: identity theft, medical identity fraud, and targeted scams that reference real policy details. The combination of SSNs, health data, and financial information creates a complete identity package for criminals.

Major insurers invest heavily in cybersecurity. They maintain SOC 2 compliance, employ security teams, implement multi-factor authentication, and conduct regular audits. Aflac is a Fortune 500 company with resources to invest in security infrastructure.

But Scattered Spider specializes in bypassing technical controls through human manipulation. They target helpdesks, impersonate employees, and exploit the procedures designed to help legitimate users regain access. The attack vector isn't always a technical vulnerability—it's the trust organizations place in verification processes.

Insurance companies accumulate data across decades of policy applications, claims processing, and customer service interactions. Legacy systems from acquisitions, regional variations in data storage, and the sheer volume of records create complexity that's difficult to map completely.

When attackers achieve network access, the question becomes: what could they reach? SSNs stored in claims systems, payment databases, HR platforms, and document repositories. Without complete data mapping, the potential scope of exposure remains uncertain while investigation continues.

State insurance regulators across all 50 states where Aflac operates have breach notification requirements. HIPAA applies to health-related claims data. State attorneys general may open investigations. The scale of a potential 22.7 million customer breach triggers notification logistics that take months to execute.

Scattered Spider operates differently from traditional ransomware groups—they often combine data theft with extortion, threatening exposure rather than encryption. The company must assess what was actually accessed while managing regulatory requirements and customer communications across millions of policyholders.