Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry

Major insurance provider Aflac Inc. said Friday that it was the target of a cyberattack on June 12 that is linked to a major cybercrime spree focusing on the industry. 

The company said it was able to contain the attack within hours and confirmed its systems remain operational. 

“We continue to serve our customers as we respond to this incident and can underwrite policies, review claims and otherwise service our customers as usual,” the company said in a Securities and Exchange Commission filing. 

The incident is part of a larger crime wave targeting the insurance industry that researchers have linked to a collective known as Scattered Spider. The group recently conducted a weeks-long attack campaign against retailers in the U.S. and the U.K. 

Erie Insurance Group last week disclosed that it was the target of a cyberattack that began on June 7. The company said Tuesday that it has regained control over its systems and sees no further evidence of malicious activity.

Erie is working with third-party forensic experts to restore full access to customers, agents and employees.

Researchers from Google Threat Intelligence Group on Monday warned that the same hackers targeting the retail sector had pivoted toward the insurance industry. Google has not attributed the attacks to any actor but said they show the hallmarks of Scattered Spider, the notorious threat group linked to the 2023 MGM Resorts and Clorox hacks.

The retail sector intrusions began in April, with U.K. retailer Marks and Spencer and the Harrods department store chain among the major victims. In the U.S., the hacking spree hit Victoria’s Secret and United Natural Foods, the largest supplier for Whole Foods, the grocery chain owned by Amazon.

Aflac has begun a process of reviewing files that may have been accessed. The review is still in its early stages and Alfac said it cannot immediately determine how many people were affected. 

The files contain claims information, health records, Social Security numbers and other personal data related to customers, employees, beneficiaries, agents and other individuals. 

The company plans to notify regulators and will send breach letters to affected individuals and provide credit monitoring and identity-theft services.