Aflac duped by social-engineering attack, marking another hit on insurance industry

Aflac disclosed Friday that it experienced a cyberattack last week that potentially impacted the supplemental insurance company’s data. 

The Georgia-based company said it identified unauthorized access on its network June 12. Upon initiating its cybersecurity incident response protocols, Aflac “believes that it contained the intrusion within hours,” the company said in a regulatory filing. “The company’s business remains operational, and its systems were not affected by ransomware.”

Aflac is the third insurance company to publicly disclose an attack on its network in the past eight days, and it follows a warning from Google Threat Intelligence Group that the loosely knit cybercrime collective Scattered Spider was actively targeting the insurance sector. 

Erie Insurance, Philadelphia Insurance Companies and Aflac were all hit in a five-day period, in that order, starting June 7. Erie Insurance and Philadelphia Insurance Companies, a subsidiary of Tokio Marine Holdings, experienced network outages and business disruption as a result of the attacks while recovery efforts remain ongoing.

A source familiar with the incident said Aflac doesn’t know if Scattered Spider was responsible because the attackers did not identify themselves, but the characteristics of the attack are certainly consistent with the financially motivated threat group.

Aflac did not immediately respond to a request for comment. 

“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry,” the company said in a news release Friday. 

“While the investigation remains in its early stages, in the spirit of transparency and care for our customers, we are sharing that our preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to our network.”

The company said a review of potentially impacted files — including claims information, health information, Social Security numbers and other personal information — is in the early stages.

Aflac and Erie Insurance both specifically indicated they’ve seen no evidence of ransomware on their systems, but they didn’t explain further. 

Ransomware, in the traditional sense, involves encrypted data but the term is also more colloquially used to describe all manner of attacks involving extortion attempts under threats to leak or sell stolen company data.

Scattered Spider is an amorphous band of young English-speaking cybercriminals affiliated with the larger sprawling network known as The Com. Scattered Spider associates recently ran roughshod over U.K.- and U.S.-based retailers before pivoting, once again, to insurance companies.

The ring of cybercriminals historically focus on one sector at a time, resulting in a wave of extortion attacks on companies in the same industry, which often use similar systems and processes. 

Google previously warned that Scattered Spider shifted its attention to U.S. retailers after the group hit multiple retailers and grocery stores in the U.K. in April. The pattern of recent activities attributed to Scattered Spider has been consistent.

“We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, told CyberScoop on Monday. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”