Aflac’s June 2025 Cyber Breach Part of an Insurer Coordinated Attack
- Glen Armes
- Jul 24
- 4 min read
Executive Summary
On 12 June 2025, Aflac Incorporated detected and contained an intrusion into its U.S. network that investigators have attributed to the Scattered Spider cyber‑crime collective. Although the attack did not deploy ransomware or disrupt core business operations, it likely exposed highly sensitive data including Social Security numbers (SSNs), health‑insurance claims, and employee/agent information. The incident highlights a strategic pivot by Scattered Spider toward the insurance sector and again shines light on persistent weaknesses in Helpdesk identity recovery processes.
1. Incident Timeline
Date | Milestone |
12 Jun 2025 | Aflac’s security monitoring flagged “suspicious activity” on the U.S. network; the response team isolated affected systems within hours according to the Aflac Newsroom. |
20 Jun 2025 | Aflac filed an 8‑K with the U.S. SEC and issued a press release disclosing the breach and confirming business continuity according to SECinvestors.aflac.com. |
20–24 Jun 2025 | |
23 Jun 2025 onward | Class‑action complaints filed in Georgia and Alabama federal courts allege inadequate data protection (cases pending) according to Millberg.com. |
24 Jul 2025 | Forensic work continues; no evidence of ransomware, but record‑level validation of exfiltrated data is ongoing according to Aflac. |
2. Initial Access & Attack Path
Aflac says the attackers used social engineering of the Helpdesk impersonating employees and convinced Helpdesk staff to reset credentials and enroll new MFA devices, mirroring Scattered Spider’s signature “vishing” technique.
CrowdStrike and other responders report the adversary pivoted from Microsoft Entra ID accounts to SaaS and on‑prem systems, deploying legitimate remote‑management tools such as TeamViewer, AnyDesk, Ngrok, Teleport, and Chisel to persist and tunnel traffic.
Lateral movement and staging was observed using tactics including Active Directory reconnaissance scripts (ADRecon, ADExplorer), creation of rogue mail‑transport rules to hide alerts, and cloud‑storage enumeration for bulk data pulls.
3. Data at Risk
Aflac’s form 8‑K and subsequent FAQs list the following categories as potentially exposed (exact record counts pending):
SSNs and other government identifiers
Personal & health‑insurance claims data protected under HIPAA/GLBA
Contact, demographic, and beneficiary information for customers, agents, and employees
Internal documents discovered in SaaS repositories (e.g., architecture diagrams)
4. Indicators of Compromise (IOCs)
Kill‑Chain Stage | Kill‑Chain Stage | Notable Artefacts / Behaviours | MITRE ATT&CK IDs | Notable Artefacts / Behaviours | MITRE ATT&CK IDs |
Helpdesk compromise | Helpdesk compromise | Unsolicited calls requesting MFA re‑enrollment; spoofed domains like aflac‑support[.]com | T1566.004 | Unsolicited calls requesting MFA re‑enrollment; spoofed domains like aflac‑support[.]com | T1566.004 |
Remote foothold | Remote foothold | Installations of TeamViewer, AnyDesk, Ngrok, Teleport, Chisel on user or VDI hosts | T1219 / T1105 | Installations of TeamViewer, AnyDesk, Ngrok, Teleport, Chisel on user or VDI hosts | T1219 / T1105 |
Privilege escalation | Privilege escalation | AD CS template abuse, PowerShell Get‑ADUser, LSASS dumps | T1548 / T1003 | AD CS template abuse, PowerShell Get‑ADUser, LSASS dumps | T1548 / T1003 |
Evasion | Evasion | Creation of Outlook transport rules deleting security alerts, “HardDelete” mailbox operations | T1564.008 | Creation of Outlook transport rules deleting security alerts, “HardDelete” mailbox operations | T1564.008 |
Exfiltration | Exfiltration | Large ZIP/RAR archives to S3 buckets controlled via S3 Browser or outbound HTTPS to mega[.]nz | T1567.002 | Large ZIP/RAR archives to S3 buckets controlled via S3 Browser or outbound HTTPS to mega[.]nz | T1567.002 |
5. Regulatory & Business Impact
Underwriting, claims processing, and customer portals remained online; Aflac emphasizes “no ransomware executed.” Aflac Newsroom
Class action lawsuit plaintiffs allege violations of GLBA, HIPAA, and state data‑breach statutes; potential exposure to NYDFS 500 if New York policyholders are affected. Varutra
The financial market reacted mildly (–1.3 %); analysts credit rapid containment for limiting downtime costs. Reuters
6. Is This Aflac’s First Breach?
No. In January 2023, a third‑party marketing vendor’s file‑transfer server leak in Japan exposed data on ≈1.3 million cancer‑policy holders. That event did not involve Aflac’s own infrastructure but highlighted supply‑chain risk. The 2025 incident, by contrast, seems to be the first direct compromise of Aflac’s U.S. corporate network.
7. Strategic Take Aways for Insurers
Human layer defenses are critical in subverting a successful cybersecurity attack. Voice based social engineering of Helpdesk staff can defeat even strong MFA deployments.
Remote management tooling continues to be used as a backdoor. Legitimate RMM agents leave fewer traces than traditional malware; EDR policies should explicitly cover them.
Sector wide intelligence sharing is critical. Scattered Spider hit Erie and Philadelphia Insurance within the same week, suggesting coordinated campaigns against insurers.
Fast containment reducing the blast radius can save millions upon millions of dollars for organizations. Aflac’s isolation and containment speed helped avoid ransomware and business interruption. This is an indication of a solid security incident response plan.
8. Conclusion
Aflac’s June 2025 breach illustrates the growing sophistication of social‑engineering campaigns against regulated insurance and financial services firms. While Aflac’s swift response limited operational damage, the potential exposure of highly sensitive data will test its customer trust and compliance posture for months to come. For the broader insurance sector, the incident is another call to reinforce identity recovery workflows, and tighten controls on remote‑management tools. If you are ready to engage a third-party to review your scattered spider controls and provide education for stakeholders sign up for a free Scattered Spider threat briefing at https://www.armes-vantage.com/scattered-spider-threat-briefing.
Author: Glen E. Armes
Comments