According to TechCrunch, U.S. insurance giant Aflac has confirmed that a data breach it disclosed in June impacted a staggering 22.65 million people. The company began notifying victims this week, revealing that hackers stole a comprehensive suite of personal and health data. That stolen information includes names, dates of birth, addresses, government ID numbers like passports and driver’s licenses, Social Security numbers, and medical and health insurance details. In filings with state attorneys general, Aflac indicated the hackers “may be affiliated with a known cyber-criminal organization” targeting the insurance industry. Given the timing and target, the likely culprit is the hacking collective Scattered Spider. This breach is part of a wider spree that also hit companies like Erie Insurance and Philadelphia Insurance Companies.
Scale and context
Here’s the thing: 22.65 million is a colossal number. Aflac says it has about 50 million customers total, so this breach potentially affects nearly half of them. We’re not talking about just email addresses here. This is the full identity theft starter kit—Social Security numbers and health data. That combination is a nightmare. Health information is uniquely sensitive and permanent; you can’t change your medical history like you can a credit card number. It’s also incredibly valuable on dark web markets. The filing with the Iowa attorney general is pretty explicit about the threat actor being part of a larger, organized effort. This wasn’t some random script kiddie.
The likely culprits
So who did it? All signs point to Scattered Spider. This group, known for being young, English-speaking, and ruthlessly effective, was actively targeting the insurance sector around the time of Aflac’s breach. Their modus operandi often involves social engineering and SIM-swapping to bypass multi-factor authentication, gaining access to corporate networks. They’re not state-sponsored; they’re cybercriminals in it for financial gain. And what’s a better target than an insurance company sitting on mountains of the most personal data imaginable? The fact that Aflac’s breach happened alongside others in the same industry isn’t a coincidence. It was a coordinated attack. Basically, the insurance sector was in their crosshairs, and defenses failed.
Why this matters
Look, data breaches happen every day. But this one stands out for a few reasons. First, the sheer volume of highly sensitive data. Second, the lag in disclosure—the breach happened, Aflac knew in June, but the public only now learns the massive scale. That’s a long time for that data to be circulating. And third, the industry-wide pattern. It shows these groups aren’t just picking on weak links; they’re systematically exploiting a whole sector. For the victims, the risk isn’t just financial fraud. Medical identity theft can lead to falsified records, wrong medical treatments, and years of bureaucratic hell to untangle. Aflac will offer credit monitoring, but does that really help when your health records are in the wild? Probably not.
The broader picture
This breach is a stark reminder of the massive concentrations of risk in certain industries. Insurance, healthcare, finance—they’re all treasure troves. And while companies invest in cybersecurity, they’re often protecting against yesterday’s threats. Groups like Scattered Spider are agile and human-centric in their attacks, which can bypass a lot of traditional tech defenses. It also raises a question: in sectors holding our most critical data, are the penalties for failing to secure it severe enough? The notification letters are going out now, but for 22.6 million people, the real impact is just beginning. And you have to wonder, who’s next?
