Aflac Says Cybersecurity Incident Involved Personal Information of 22.65 Million People

Aflac-insurance-cybersecurity-fraud

Insurance company Aflac said personal information associated with 22.65 million people was impacted by a cybersecurity incident within its U.S. business that the company reported in June.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The company determined the number of affected people after reviewing the potentially impacted files, it said in a Friday (Dec. 19) press release.

    “Following detection of the security incident, Aflac promptly secured accounts identified as potentially impacted and took additional steps, including resetting passwords and further monitoring for signs of suspicious activity,” the company said in the release. “To date, Aflac is not aware of any fraudulent use of personal information and—along with third-party partners—will continue to monitor any fraudulent activity.”

    Aflac has begun to notify individuals impacted by the incident, per the release.

    When the company disclosed the cybersecurity incident in June, it said that it identified suspicious activity on its U.S. network, initiated its cyber incident response protocols and stopped the intrusion within hours. The company’s systems were not affected by ransomware and its business remained operational.

    “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” Aflac said in a June 20 press release. “This was part of a cybercrime campaign against the insurance industry.”

    Aflac said in the June release that its review of potentially impacted files was in its early stages and that it had not determined the number of affected individuals.

    In an update released along with the Friday press release, Aflac said it determined on Dec. 4 that the files that may have been impacted in the security incident likely contained personal information that triggers notification under applicable law.

    The review determined that this information was associated with customers, beneficiaries, employees, agents and other individuals related to Aflac, and that it included names, contact information, claims information, health information, Social Security numbers, and other information, per the update.

    Aflac said in the update that it provided its customers with credit monitoring, identity theft protection, medical fraud protection and other resources early in its response to the incident; it did not wait until it had finalized this review.

    The FBI’s Internet Crime Complaint Center (IC3) said in April that personal data breaches were one of the top three types of cybercrime reported by victims in 2024.

    Among critical infrastructure organizations, data breaches were one of the top two most reported cyber threats, according to IC3’s “Internet Crime Report 2024.”

    Latest News on

    From Warehouses to Last Mile, AI Is Rewiring Logistics at Global Scale
    January 08, 2026, 6:19pm
    Apple-JPMorgan-Chase-credit-card
    Apple Taps JPMorgan Chase to Expand Its Financial Services Ecosystem
    January 08, 2026, 6:01pm
    AI insurance
    AI Arms Race Pits Insurers Against Fraudsters
    January 08, 2026, 5:41pm