U.S. insurance giant Aflac confirmed that a major cyberattack in June 2025 resulted in the theft of highly sensitive personal and health data belonging to approximately 22.65 million people, including Social Security numbers, dates of birth, home addresses, government-issued IDs and medical insurance information, prompting the company to begin notifying affected customers and offer protections amid growing concerns about broader cybercriminal activity targeting the insurance industry and potential long-term identity theft risks.
Sources TechRadar, The Record
Key Takeaways
• The breach impacted 22.65 million individuals, exposing extremely sensitive personal, identification and health insurance information, heightening long-term risks of identity theft and fraud.
• Aflac has begun notifying affected people, is offering credit monitoring and identity protection services, and reported coordination with federal law enforcement and cybersecurity experts in response.
• This incident forms part of an emerging pattern of sophisticated cybercriminal attacks on the insurance sector, suggesting systemic vulnerabilities in industry cybersecurity practices.
In-Depth
In June 2025, one of the United States’ most widely known supplemental insurance providers, Aflac, experienced a significant cybersecurity breach that only recently came to full public light. The company ultimately confirmed that its systems were infiltrated by unauthorized actors who were able to access and exfiltrate personal information tied to roughly 22.65 million individuals, a tally that spans customers, agents and possibly even some employees. The scale of this breach places it among the more serious data exposures in the insurance and financial services industries over the past decade.
What makes this particular incident especially concerning is the nature of the data that was stolen. According to official disclosures, the attackers accessed not just routine contact data such as names and home addresses, but also deeply sensitive identifiers including dates of birth, government-issued identification numbers (such as driver’s licenses, passports and state IDs) and Social Security numbers — information that, once in criminal hands, can facilitate identity theft, financial fraud and even falsified medical claims. On top of that, medical and health insurance details were compromised, which in the context of privacy laws like HIPAA and other state and federal protections carries serious implications for individuals’ personal and legal rights over time.
Following the discovery of the breach, Aflac notified regulators, including the Texas Attorney General and the Iowa Attorney General, and has since commenced direct notifications to impacted individuals. The company’s response has included offering affected parties credit monitoring and identity theft protection services, intended to help detect and mitigate misuse of the stolen data. Law enforcement — both federal and state — has been involved in the aftermath, and Aflac brought on external cybersecurity firms to investigate and remediate vulnerabilities exploited in the attack. Company representatives have stated that they are not aware, to date, of fraudulent activity directly resulting from the breach, though security analysts warn that misuses of stolen identity data can surface years after an initial incident.
This breach comes amid a broader trend of mounting cybercriminal pressure on the insurance sector. Reports from security commentators and breach analysts suggest that sophisticated hacker groups have increasingly turned their focus to insurers, which hold rich troves of personal and financial records. These organizations are attractive targets precisely because of the breadth of sensitive information they maintain. Aflac’s breach follows similar intrusions at other carriers and third-party industry vendors over the last several years, highlighting systemic weaknesses in sector cybersecurity practices and the costly repercussions that follow.
For affected individuals, experts recommend a suite of defensive steps: placing credit freezes with major reporting agencies, monitoring financial and medical accounts for suspicious activity, and taking advantage of the identity protection services offered by Aflac. Some consumers may also consider setting up Identity Protection PINs with the Internal Revenue Service to guard against tax-related identity fraud.
In the broader landscape of corporate cybersecurity, this incident underscores the urgent need for robust preventative measures — including multifactor authentication, real-time threat detection, employee training to thwart social engineering, and rigorous third-party vendor oversight. As cyber threats continue to evolve in sophistication and scale, stakeholders across the insurance and financial services industries will face mounting pressure to shore up defenses, protect consumer data and restore public trust in an increasingly digital risk environment.