Image source: ChatGPT
Aflac confirmed a 2025 data breach impacting 22 million people after an advanced cyberattack exposed sensitive personal and medical data in the US.
A single intrusion. Millions of exposed identities.
A security investigation by insurance powerhouse Aflac has revealed that more than 22 million affiliated people were affected by a data breach this year. The breach, which, according to Aflac, has been contained, involved customers’ personally identifiable information (PII).
According to the insurance company, some suspicious activities were observed in June 2025. The abnormal network activity was traced to an advanced cybercrime group, warranting a full-scale investigation. Aflac did not publicly identify a specific name, which may be revealed in the coming days as more information is revealed.
In their report, Aflac stated that the breach affected only US-based customers, comprising a significant number of their customer base.
The company confirmed that the attack began on June 12, the same day it was noticed on a limited number of their systems, particularly in the US part of their business. However, prompt containment of the situation with external incident response support disrupted the data theft flow.
It was further revealed that these data were personal data categories, a technique commonly used in data breaches. Social security numbers, addresses, date of births, driver’s licence numbers, government ID numbers, names, medical health insurance data, and many other personal data types were stolen.
Many data breaches primarily expose customer data, but this particular theft didn’t just steal customers’ data. Employees, agents, Aflac beneficiaries, and others affiliated with the company were part of the 22 million affected.
The company immediately took action by resetting the passwords for affected accounts to protect users’ accounts while the investigation continued.
With the finalization of this investigation, Aflac has announced that it has begun contacting affected people in compliance with relevant regulations. Additionally, they’ve decided to provide a 2-year free CyEx Medical Shield to those affected.
The 2-year CyEx Medical Shield covers credit monitoring, Identity theft, and medical fraud protection, with robust customer support throughout the duration.
Affected users, after being contacted, would have to enroll for it, except for those with previous enrollment, as they won’t need another enrollment
It is not uncommon for lawsuits to follow a data breach, especially in cases involving millions of people.
Shortly after Aflac disclosed the data breach, a class action was filed against the company by Larry Golston, Dee Miles, and Leon Hampton. The Baesley Allen law firm filed the lawsuit. This is the same firm that filed a lawsuit against AT&T over a data breach affecting 51 million customers.
Filed in a Columbus, Georgia, federal court, the prosecutors accused Aflac of data negligence, breach of contract, and abuse of policymakers’ privacy.
The firm asked Aflac customers who believe they’ve been affected by the breach to reach out on its website. Already, billions have been remitted in data breach settlements, with Coupang recently fined over $1 billion regarding a data breach.
The Aflac breach isn’t isolated. A recent cyberattack on the UK Foreign Office shows how far-reaching these incidents have become.
Joseph is a Technical Writer with about 3 years of experience in the industry, also advancing a career in cyber threat intelligence. He is passionate about the responsible use of technology, a passion that led him into cybersecurity. As an undergrad, he leads a novel community of technology enthusiasts at his school, NOUN, where he guides and shares resources for beginners in tech. His writing experience includes writing on a diverse range of topics, from consumer tech to startups and tutorials. Additionally, he periodically shares case studies and research reports on cybersecurity on his social media pages.
