Aflac Is Notifying 22.7 Million People. The Attack Was June 2025. The Number Is the News — and It's the Same Consent-Leak Insurance Vertical We've Been Naming All Year.

Aflac is notifying twenty-two-point-seven million people that their data was stolen, and the first thing to get straight is the timeline, because the headline version blurs it. The attack was not this week. Aflac detected the intrusion on June 12, 2025, contained it within hours, and confirmed it was not ransomware — a data-theft operation, not an encryption event. What is happening now, a year later, is the notification: the count of affected individuals has been finalized at twenty-two-point-seven million, and the stolen material includes insurance claims, Social Security numbers, and health details. So the news here is not a fresh breach. The news is the size, and the year it took to put a number on it. When a Fortune 500 insurer needs twelve months to tell twenty-two million people what was taken, the dwell time on the disclosure is its own scandal, separate from the dwell time on the intrusion.

This was not a clever zero-day, and that is the part that should bother every enterprise that thinks its perimeter is the problem. The Aflac intrusion came in the middle of a sustained campaign against the insurance industry by Scattered Spider — the loosely affiliated, mostly English-speaking crew that gets into major companies not by chaining CVEs but by calling the help desk and convincingly pretending to be an IT worker or a locked-out employee. The same campaign hit Philadelphia Insurance, Erie Insurance, and Scania Financial Services. The soft surface here is not a firewall. It is a human on a support line under pressure to be helpful, and a password-reset process that trusts a confident voice. We have written this shape over and over: the hard perimeter holds, and the soft surfaces bleed. Scattered Spider is one of the three crews we track as the Coinbase Cartel confederation — alongside ShinyHunters and Lapsus$ — the overlapping operator cluster behind a year of high-profile social-engineering breaches. Aflac is not an outlier in that pattern. It is a charter member of it.

And here is why this lands exactly where our coverage already sits. Insurance is a consent-leak vertical — every record exists because a human signed a form authorizing the collection of their identity, their dependents, their Social Security number, and in Aflac's case their health details. That is the precise field set that makes a breach class-action-lethal and an actuary's nightmare specific, and it is the same thesis we published against DentaQuest nine days ago and against the broader Coinbase Cartel vertical-pivot pattern in May. The crews are not farming insurance because insurers are uniquely careless. They are farming insurance because the data is uniquely damaging to leak and therefore uniquely expensive to ransom or litigate. Twenty-two-point-seven million claims-and-SSN-and-health records is not a number you price like a credit-card dump. It is a number plaintiffs' counsel prices, and they are already pricing it.

The protective read, for the twenty-two million and for the security teams watching their own help desks. If you are an Aflac customer, beneficiary, employee, or agent, assume the full identity set — name, Social Security number, claims, and health information — is out, and act on that assumption rather than the soothing version in the notification letter: freeze your credit at all three bureaus, which takes ten minutes and is free, and treat any insurance-themed call or email over the next year as hostile until proven otherwise, because a breach this rich feeds exactly that kind of targeted follow-on fraud. If you run an enterprise — especially one holding consent-form PII at scale — the Aflac lesson is not about Aflac's firewall. It is about your help desk. Scattered Spider's entire edge is the password reset and the IT-impersonation call; harden the human process, require out-of-band verification for privileged resets, and run the tabletop where the attacker is a polite, fluent caller who already knows three facts about the employee they are pretending to be. That is the attack. It worked on an insurer with a real security budget, and it will work on you if the soft surface is open.

The honest 95%: we cannot independently confirm every detail of the attribution — Scattered Spider is a loose, overlapping label, the insurance-campaign linkage is drawn from reporting rather than our own incident response, and we are repeating it as the most credible read, not as a finding we generated. We cannot tell you twenty-two-point-seven million is final either; breach counts in cases this size drift for months as forensics complete, and they more often drift up. What we can tell you is that the shape is not new, the vertical is one we called, the crew is one we track, and the year-long gap between the June 2025 break-in and this week's notification is the part of this story the press will move past tomorrow and the affected twenty-two million will live with for years. The number is the news. The pattern was already on the page.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register