American insurance behemoth Aflac announced on Friday that it has been hit by a cyberattack, potentially compromising sensitive customer data, including Social Security numbers, insurance claims, and health information.
This incident marks the latest in a series of digital assaults targeting the insurance industry.
With billions in annual revenue and millions of customers, Aflac represents the largest victim to date in an ongoing wave of cyberattacks on US insurance companies, leaving the sector on high alert and prompting intervention from the FBI and private cybersecurity experts.
This month, Erie Insurance and Philadelphia Insurance Companies also reported breaches, which caused widespread disruptions to their IT systems. Investigations suggest that all three attacks align with the methods used by a rapidly growing and aggressive cybercrime group known as Scattered Spider.
Aflac confirmed on Friday that a “sophisticated cybercrime group” was behind the attack, though it did not name Scattered Spider.
Credit: Escanaba.org
The company stated it “stopped the intrusion within hours” of discovery last week, clarified that no ransomware was deployed, and confirmed that customer services remain operational.
While Aflac noted it’s too early to determine the full extent of stolen customer information, the potential exposure is vast, given its significant role as a supplemental health insurance provider in the US.
The hackers reportedly gained access to Aflac’s network using “social engineering,” a tactic often involving tricking individuals into revealing security information. This method is a known hallmark of Scattered Spider, which is notorious for impersonating tech support to infiltrate large corporations.
This loosely organised group of cybercriminals is considered dangerous due to their unpredictable nature and a belief that they are composed of young individuals in the US and UK known for aggressive extortion.
Scattered Spider gained prominence in September 2023 following multi-million-dollar hacks on major Las Vegas casinos and hotels, MGM Resorts and Caesars Entertainment.
Their broad targeting of American industries has led cybersecurity executives to urge companies to be vigilant against suspicious phone calls to employees. Just last month, they were also suspected of multiple cyberattacks on American retail companies.
Cynthia Kaiser, who previously oversaw FBI teams investigating Scattered Spider and now works at cybersecurity firm Halcyon, warned, “If Scattered Spider is targeting your industry, get help immediately. They can execute their full attacks in hours. Most other ransomware groups take days.”
John Hultquist, chief analyst at Google’s Threat Intelligence Group, voiced even greater concern, stating, “The threat I lose sleep over is Scattered Spider… They are already taking food off the shelves and freezing businesses. The Iranian hackers may not even have Internet access, but these kids are in play right now.”
