Massive Aflac breach exposed millions of SSNs and other data - get free protection today

SOPA Images / Contributor via LightRocket / Getty Images

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• An Aflac breach impacted much than 22 cardinal customers.
• Stolen were Social Security numbers and different idiosyncratic data.
• Aflac is offering escaped recognition monitoring and different services.

Most of america astir apt cognize Aflac from the comic quacking duck commercials. But what has happened to millions of the insurer's customers is hardly a laughing matter, particularly if you're 1 of them.

Also: The champion information removal services of 2025: Delete yourself from the internet

On June 20, Aflac revealed that it was hit by a cyberattack staged by a blase radical arsenic portion of a question of attacks against security companies. The steadfast noted that it became alert of the suspicious enactment connected June 12. At the time, Aflac said that it would behaviour a reappraisal of the incidental to find what happened and who was affected. 

Now that reappraisal has been completed, present are the gory details.

Personal and delicate information stolen

In its analysis, Aflac recovered that personal and delicate information was stolen from immoderate 22.65 cardinal customers, beneficiaries, employees, agents, and others related to the company. The information included names, interaction information, claims information, wellness information, and Social Security numbers. But not each of this information was compromised for everyone affected by the breach.

Though Aflac did not place the culprit, the onslaught appears to person been staged by Scattered Spider, a notorious ransomware radical that has painted a bullseye connected the security industry. A July study from cybersecurity supplier CrowdStrike revealed however the radical uses societal engineering, SIM swapping, distant entree tools, and different tactics to bargain information and clasp it for ransom. 

If the wealth is not paid oregon the breach is contained, past Scattered Spider threatens to merchandise the information publicly.

Also: I enactment 2025's starring data-removal services to the test, and determination was a wide winner

In June, conscionable days earlier Aflac announced the attack, Google adjacent warned that Scattered Spider was transitioning from its erstwhile targets to security companies, arsenic reported by CyberScoop.

"Google Threat Intelligence Group is present alert of aggregate intrusions successful the US which carnivore each the hallmarks of Scattered Spider activity," John Hultquist, main expert astatine Google Threat Intelligence Group, said successful an email astatine the time. 

"We are seeing incidents successful the security industry. Given this actor's past of focusing connected a assemblage astatine a time, the security manufacture should beryllium connected precocious alert, particularly for societal engineering schemes, which people its assistance desks and telephone centers," Hultquist said.

How to support yourself

After learning of the incidental successful June, Aflac reset the passwords for each accounts that were perchance compromised. The institution said that it besides acceptable up further monitoring to look for further signs of suspicious activity. Aflac stressed that it is not alert of immoderate fraudulent usage of the stolen information, but customers volition privation to instrumentality definite actions to support themselves.

First up, the insurer has called connected healthcare monitoring work CyEx Medical Shield to supply escaped recognition monitoring, individuality theft protection, aesculapian fraud protection, and lawsuit enactment to customers for 24 months. 

To enroll successful this service, telephone 1-855-361-0305 Monday done Friday from 9 americium to 9 p.m. ET oregon Saturday from 9 americium to 5:30 p.m. ET. But bash not hold excessively long. The deadline to enroll is April 18, 2026.

Also: 5 ways to scour the acheronian web for your information aft Google kills its escaped report

Second, Aflac advises customers to beware of immoderate attempts astatine individuality theft oregon fraud. That means you request to reappraisal your reports, fiscal accounts, and security statements for immoderate antithetic activity.

Third and finally, the accustomed proposal applies arsenic always. 

Make definite you unafraid your accounts with beardown passwords (or passcodes wherever available) and two-factor authentication. Look retired for immoderate phishing attempts done email, messaging, oregon websites. And guarantee that your machine is protected with the close information bundle that tin artifact malware and pass you of immoderate suspicious files and activities.