Here is the complete article in the required format.

title: "Aflac: Scattered Spider Help-Desk Breach" date: 2026-06-09 slug: aflac-data-breach-notification

Aflac: Scattered Spider Help-Desk Breach

Aflac is notifying twenty-two-point-seven million people that their personal data was stolen in a June 2025 intrusion, and the first thing to get straight is the timeline, because the headline version blurs it. The attack was not this week. Aflac detected the intrusion on June 12, 2025, contained it within hours, and confirmed it was not ransomware: a data-theft operation, not an encryption event. What is happening now, a year later, is the notification. The count of affected individuals has been finalized at 22.7 million, and the stolen material includes insurance claims, Social Security numbers, and health details. The news is not a fresh breach. The news is the size, and the year it took to put a number on it.

What Happened

Aflac detected unauthorized access to its network on June 12, 2025, and says it contained the activity within hours. The company confirmed early that the event was not ransomware: no encryption, no locked systems, no extortion timer. It was a quiet data-theft operation, the kind designed to exfiltrate records and leave.

The intrusion sits squarely inside a sustained 2025 campaign against the insurance industry attributed to Scattered Spider, the same loosely affiliated, mostly English-speaking crew that hit Philadelphia Insurance, Erie Insurance, and Scania Financial Services in the same window. Aflac was not a one-off target. It was one stop on a vertical sweep.

What makes the disclosure its own story is the gap. When a Fortune 500 insurer needs twelve months to tell 22 million people what was taken, the dwell time on the disclosure becomes a scandal separate from the dwell time on the intrusion. The breach was contained in hours. The count took a year.

What Was Taken

The stolen material is the worst-case field set for a consumer. According to Aflac, the exfiltrated data includes insurance claims, Social Security numbers, and health details, spanning customers, beneficiaries, employees, and agents.

That combination is what makes this breach class-action-lethal. Every record exists because a human signed a form authorizing the collection of their identity, their dependents, their Social Security number, and in Aflac's case their health information. Claims plus SSN plus health data is the precise bundle that fuels identity theft, medical fraud, and targeted phishing, and the volume here is 22.7 million records of exactly that shape.

Why It Matters

Insurance is a consent-leak vertical. Every record is a form a person filled out, attesting to the most damaging-to-leak details about their life. That is why the crews are farming it. They are not targeting insurers because insurers are uniquely careless. They are targeting insurers because the data is uniquely damaging to leak and therefore uniquely expensive to ransom or litigate.

Scattered Spider is one of three crews in the operator cluster we track as the Coinbase Cartel confederation, alongside ShinyHunters and Lapsus$, the overlapping social-engineering operators behind a year of high-profile breaches. Aflac is not an outlier in that pattern. It is a charter member of it. The same thesis we published against DentaQuest nine days ago, and against the broader Coinbase Cartel vertical-pivot pattern in May, lands here intact: the perimeter held, and the soft surface bled.

The Attack Technique

This was not a clever zero-day, and that is the part that should bother every enterprise that thinks its perimeter is the problem. Scattered Spider does not get into major companies by chaining CVEs. It gets in by calling the help desk and convincingly pretending to be an IT worker or a locked-out employee.

The soft surface is not a firewall. It is a human on a support line under pressure to be helpful, and a password-reset process that trusts a confident voice. The crew leans on phone-based social engineering, MFA fatigue, SIM-swapping, and help-desk impersonation to seize legitimate credentials, then moves laterally with the access an account legitimately holds. There is no exploit to patch here. The hard perimeter holds, and the soft surfaces bleed.

What Organizations Should Do

• Harden the help desk. Require out-of-band, multi-factor identity proofing before any password or MFA reset. A confident voice is not authentication. Mandate callbacks to verified numbers and supervisor approval for privileged-account resets.
• Move to phishing-resistant MFA. Replace SMS and push-approval factors with FIDO2 hardware keys or passkeys to neutralize MFA fatigue and SIM-swap attacks.
• Monitor for identity anomalies. Alert on impossible-travel logins, new-device enrollments, and unusual privilege escalation. Scattered Spider uses legitimate credentials, so behavior, not signatures, is the detection surface.
• Drill the human layer. Run vishing simulations against IT and help-desk staff, and give them an explicit, blameless path to refuse and escalate suspicious reset requests.
• Segment and minimize. Limit lateral movement with network segmentation and least-privilege access so a single compromised account cannot reach claims, SSN, and health data stores.
• Pre-build your notification pipeline. Aflac's year-long count is the cautionary tale. Maintain data inventories and breach-response tooling that can scope an affected population in weeks, not months.

Sources: Aflac Is Notifying 22.7 Million People. The Attack Was June 2025.