Aflac confirms June data breach affecting over 22 million customers

A June data breach exposed the personal information of more than 22 million Aflac customers, the company confirmed.

A data breach in June exposed the information of more than 22 million Aflac customers, according to a new statement from the insurance giant. 

The company detected suspicious activity on a limited number of systems in June and promptly launched an incident response, with the assistance of external cybersecurity experts and federal law enforcement. The issue was contained within hours, and the firm pointed out that no ransomware was involved and systems remained operational. Aflac secured affected accounts, reset passwords, and continues monitoring, with no known fraud.

“Following detection of the security incident, Aflac promptly secured accounts identified as potentially impacted and took additional steps, including resetting passwords and further monitoring for signs of suspicious activity.” reads the update on June 2025 security incident published by the company.

“Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved.”

The insurance firm is notifying the impacted individuals.

Aflac said the incident involved personal data of customers, employees, agents, and others, including names, contact details, claims and health information, Social Security numbers, and other personal data, though not all data types affected every individual.

The company is offering two years of identity protection services to affected individuals, with an enrollment deadline of April 18, 2026.

“We did not wait to finalize the review of potentially impacted data to inform our partners and customers about the resources we have made available, including CyEx Medical Shield, which includes credit monitoring, identity theft protection, medical fraud protection, and customer support, for 24 months.” reads the data breach notification published by the company. “These resources were available and continue to remain available to any individuals calling our dedicated call center line. The final deadline to enroll in these resources is April 18, 2026.”

Aflac is among several insurance companies hit in 2025 by cyberattacks, including Allianz Life, in a wave linked to the cybercrime group Scattered Spider.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)