Aflac’s customer data has been breached in the latest cyberattack on the US insurance industry – potentially jeopardizing Social Security numbers, insurance claims and health information, the company said Friday.
It’s the largest insurance company yet to fall victim to a major hacking, with tens of millions of customers and a $55 billion market cap.
“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” Aflac said Friday.
Aflac — long known for its quacking duck TV commercials — said it is unable to determine the total number of impacted individuals and the specific data stolen.
Its systems were not affected by ransomware, so it is fully operational, and the company has engaged third-party cybersecurity experts, Aflac added.
It said it stopped the intrusion on June 12 hours after it noticed suspicious activity.
Erie Insurance and Philadelphia Insurance Companies have also reported hacks this month.
Both of those cases led to widespread disruptions across their IT systems.
All three of the major hacks are consistent with techniques used by a group of young cybercriminals known as Scattered Spider, sources familiar with the investigation told CNN.
Aflac said the hackers used “social engineering” tactics to breach their network, manipulating employees to gain access to a company system and often posing as tech support workers over the phone — a trademark of Scattered Spider.
In the past, these hackers have posed as company help desk staffers to obtain credentials from employees or tricked workers into installing tools on their devices that will hand over network access, according to the US Cybersecurity & Infrastructure Security Agency.
Scattered Spider is believed to be made up of teens and young adults in the US and UK and is known for aggressively extorting victims.
Its members recently targeted Marks & Spencer and other UK retailers, and famously carried out a hacking spree across Las Vegas casinos in September 2023.
Cybersecurity executives have sounded the alarms over the group’s attack on the US insurance industry, warning companies to tell their employees to be wary of suspicious phone calls.
Aflac did not mention Scattered Spider by name in its press release.
