Full Report
Insurance giant Aflac reported today that it was hit by a cyberattack on June 12 but was able to stop the intrusion “within hours.” Aflac detailed the incident in an SEC filing and press release today. The company didn’t name the suspected attacker but said in the press release that “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry.” The Aflac breach disclosure came days after reports that the Scattered Spider threat group was pivoting from retail attacks to a campaign targeting the insurance industry. Other recent insurance industry incidents have targeted Erie Insurance and Philadelphia Insurance Companies, among others. Aflac Breach Began with Social Engineering Aflac said it has engaged third-party cybersecurity experts to help with its response and investigation, and noted that the preliminary investigation suggests that the attackers “used social engineering tactics to gain access to our network.” The insurance company said that its business remains operational and its systems were not affected by ransomware, but the company suggested that hackers may have been able to access some sensitive data. “[W]e have commenced a review of potentially impacted files,” Aflac said. “It is important to note that the review is in its early stages, and we are unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in our U.S. business.” Aflac said that even though the investigation is ongoing, it is offering any individual who contacts the company’s dedicated call center free credit monitoring, identity theft protection, and Medical Shield for 24 months. The SEC filing said Aflac plans to notify regulators and provide “appropriate notifications to individuals affected by this incident. ... At this time, the full scope and potential ultimate impact on the Company are not known.” Defending Against Scattered Spider After retail incidents in the UK last month, the UK’s National Cyber Security Centre issued guidance for protecting operations from cyberattacks. Those steps include: Comprehensive use of multi-factor authentication Monitoring for signs of account misuse, such as “risky logins” within Microsoft Entra ID Protection Monitoring Domain Admin, Enterprise Admin, and Cloud Admin accounts and making sure that any access is legitimate Review helpdesk password reset processes, including procedures for authenticating staff credentials before resetting passwords Making sure that security operation centers can identify suspicious logins, such as from VPN services in residential ranges Following tactics, techniques, and procedures sourced from threat intelligence Google recently issued an advisory looking at Scattered Spider’s vishing attack techniques, or voice-based social engineering, which has included calling corporate service desks and “impersonating employees to have credentials and multi-factor authentication (MFA) methods reset.”
Analysis Summary
# Incident Report: Aflac Data Breach Involving Scattered Spider Tactics
## Executive Summary
Aflac reported a data breach affecting its U.S. business operations, potentially exposing customer information, employees, and other individuals. The incident follows a trend of increasing cyberattacks targeting the insurance industry. While the full scope is under investigation, responders are addressing the compromise by offering affected parties identity protection services, likely in response to credential compromise techniques associated with known threat actors like Scattered Spider.
## Incident Details
- **Discovery Date:** Not explicitly stated, but reported on Friday, June 20, 2025.
- **Incident Date:** Not explicitly stated, based on the reporting date.
- **Affected Organization:** Aflac (U.S. business).
- **Sector:** Insurance/Financial Services.
- **Geography:** United States (U.S. business).
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Reported June 20, 2025).
- **Vector:** Implied through social engineering/vishing tactics relevant to the likely threat actor (Scattered Spider).
- **Details:** Attackers targeted corporate service desks, impersonating employees to reset credentials and Multi-Factor Authentication (MFA) methods.
### Lateral Movement
- **Details:** Not explicitly detailed in the provided text, but the ultimate compromise suggests successful internal network navigation following initial credential compromise.
### Data Exfiltration/Impact
- **Details:** Data belonging to "customers, employees, and other individuals in our U.S. business" was compromised. The specific type and volume of data are currently unknown pending a full investigation.
### Detection & Response
- **Details:** Aflac initiated an internal investigation and filed a report with the SEC.
- **Response Actions:** Notifying regulators, offering 24 months of free credit monitoring, identity theft protection, and Medical Shield to affected individuals who contact the dedicated call center.
## Attack Methodology
*Note: The methodology is inferred based on known tactics discussed *after* Aflac's breach report, specifically linked to security guidance addressing the "Scattered Spider" group.*
- **Initial Access:** Social engineering (Vishing/Voice-based social engineering) targeting help desks to reset credentials/MFA.
- **Persistence:** Not detailed, but likely involved creating new backdoors or compromising high-privilege accounts.
- **Privilege Escalation:** Implied via the successful resetting of high-value credentials.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Targeting MFA methods and core credentials via social engineering.
- **Discovery:** Not detailed.
- **Lateral Movement:** Necessary to access customer and employee data systems.
- **Collection:** Gathering customer/employee data systems.
- **Exfiltration:** Not detailed.
- **Impact:** Unauthorized access and exposure of Personally Identifiable Information (PII) and potentially other sensitive data.
## Impact Assessment
- **Financial:** Full ultimate impact is currently unknown and being assessed. Costs related to remediation and customer protection (24 months of monitoring) are being incurred.
- **Data Breach:** Data belonging to customers, employees, and other individuals in Aflac's U.S. business.
- **Operational:** Not detailed, but likely involved internal security investigations and regulatory reporting obligations.
- **Reputational:** Direct impact due to public disclosure via SEC filing and trending news coverage.
## Indicators of Compromise
*Note: No specific IoCs (IPs, Hashes) were provided in the article related directly to the Aflac breach.*
- **Network indicators:** N/A (Specific IoCs not provided).
- **File indicators:** N/A.
- **Behavioral indicators:** Suspicious logins flagged in Microsoft Entra ID Protection; Helpdesk calls involving successful authentication bypass for credential/MFA resets.
## Response Actions
- **Containment:** Ongoing (Investigation underway).
- **Eradication:** Not detailed, but would involve invalidating compromised credentials and monitoring for persistence mechanisms.
- **Recovery:** Offering 24 months of credit monitoring, identity theft protection, and Medical Shield to potentially affected parties.
## Lessons Learned
- The insurance sector remains a high-value target for cybercriminals.
- Reliance on internal helpdesk procedures for authenticating employees during recovery/password resets is a critical vulnerability exploitable via vishing.
- The tactics used suggest a high level of persistence and social engineering proficiency in threat actors targeting corporate infrastructure.
## Recommendations
- Implement mandatory, rigorous, multi-factor authentication (MFA) across all services, ensuring MFA tokens cannot be easily reset via social engineering.
- Establish stringent, multi-factor secondary verification processes for credential resets, especially for privileged accounts (Domain Admin, Enterprise Admin, Cloud Admin).
- Enhance SOC monitoring capabilities to immediately flag and alert on "risky logins" identified via tools like Microsoft Entra ID Protection.
- Provide specific training to helpdesk staff on identifying sophisticated vishing attacks where threat actors impersonate employees.
- Review and enforce tactics, techniques, and procedures sourced from current threat intelligence feeds regarding known threat actors targeting similar organizations.