Leading U.S. insurance provider Aflac has disclosed a cyber incident affecting its internal systems. The breach, which did not involve ransomware, is part of a growing cybercrime campaign targeting the insurance sector in the United States. Experts believe it may be linked to the advanced threat group known as Scattered Spider.
Incident Contained, But Sensitive Data Possibly Stolen
Aflac, officially known as American Family Life Assurance Company, is a Fortune 500 firm serving millions in the U.S. and Japan. In a press statement, the company confirmed that its cyber response team quickly acted to stop the intrusion.
The attack was detected and mitigated within hours. Operations remained stable, and customer services—including claims processing and underwriting—continued without disruption.
However, a subsequent investigation, supported by external cybersecurity specialists, revealed that sensitive data may have been accessed. According to Aflac’s filing with the U.S. Securities and Exchange Commission (SEC), the exposed information could include personally identifiable data (PII) such as social security numbers, health records, claims information, and employment details related to policyholders, beneficiaries, staff, and agents.
Aflac reassured its stakeholders that ransomware was not deployed, but the precise scope and intent behind the breach remain under investigation.
Scattered Spider’s Involvement Signals Industry-Wide Risk
Although Aflac has not officially attributed the breach to a specific group, cybersecurity professionals say the tactics used align closely with those of Scattered Spider—a group also tracked as UNC3944, 0ktapus, and Muddled Libra.
Scattered Spider is notorious for using highly targeted social engineering to infiltrate large organizations. Their strategies include phishing, SIM swapping, and overwhelming multi-factor authentication systems—a technique known as MFA fatigue or “bombing.” These methods have proven successful in past attacks against companies like MGM Resorts, DoorDash, Caesars Entertainment, and Reddit.
The group often collaborates with ransomware operators such as BlackCat, DragonForce, and RansomHub. Notably, in late 2023, Scattered Spider breached MGM Resorts by impersonating an employee. They went on to encrypt over 100 VMware ESXi hypervisors, significantly disrupting the company’s operations.
Recent months have seen the group intensify its focus on insurance companies. John Hultquist, Chief Analyst at Google’s Threat Intelligence Group (GTIG), confirmed to BleepingComputer that Scattered Spider is currently directing its efforts toward U.S. insurers. He emphasized that help desks and customer support lines are now prime targets, as attackers seek to exploit human error at the point of entry.
Both Philadelphia Insurance Companies and Erie Insurance have also experienced recent disruptions linked to unauthorized network activity. These events underline a larger pattern of sector-specific targeting.
At Eye World, we strongly encourage firms in the insurance and financial sectors to implement rigorous staff training, multi-layered access controls, and real-time monitoring systems. As cybercriminals refine their tactics, a proactive and adaptive defense strategy is now essential—not optional.
