22 Million Affected By Aflac Data Breach

An anonymous reader quotes a report from SecurityWeek: Insurance giant Aflac is notifying roughly 22.65 million people that their personal information was stolen from its systems in June 2025. The company disclosed the intrusion on June 20, saying it had identified suspicious activity on its network in the US on June 12 and blaming it on a sophisticated cybercrime group. The company said it immediately contained the attack and engaged with third-party cybersecurity experts to help with incident response. Aflac's operations were not affected, as file-encrypting ransomware was not deployed.

[...] The compromised information, the insurance giant says, includes names, addresses, Social Security numbers, dates of birth, driver's license numbers, government ID numbers, medical and health insurance information, and other data. "The review of the potentially impacted files determined personal information associated with customers, beneficiaries, employees, agents, and other individuals related to Aflac was involved," Aflac said in a notification (PDF) on its website. The company is providing the affected individuals with 24 months of free credit monitoring, identity theft protection, and medical fraud protection services.

Re: Obligatory...

[Slashythenkilly]

You stupid, naive SOB. (-1) Anonymous Coward 12 hours ago You think that's all it will take Johnny Law to throw up his hands and slink away in defeat? Guess again. You will be told "you definitely have the right to remain silent...as long as you can stand the pain." Now this pain might be literal or legal, but it WILL be applied. You may imagine yourself as the heroic main character in your mind's movie just because your coddling helicopter mommy told you that at some point in your life, but one day it wi

Re:

[ambrandt12]

*waves to rsilvergun*

press 9

[ole_timer]

to hear a duck

Re:press 9 to hear a duck

[Tablizer]

Moooo

"Damned hackers!"

Does aflac cover data breaches?

[FictionPimp]

I know if I break my arm aflac will come give me a check, but will it give me a check when it breaks my privacy?

Re:

[phantomfive]

I know if I break my arm aflac will come give me a check,

They might not, have you ever tried?

Re:

[FictionPimp]

I'm just saying that's their whole sales pitch. I personally decline this kind of insurance as I believe it is not a wise investment when compared to the risk you are hedging against.

Re: Does aflac cover data breaches?

[blue trane]

How much are thry getting from insurance against data breaches?

Re:

[OrangeTide]

With data breeches and identity theft, if you break your arm, someone else is getting your check.

I'm sure there must be:

[DjangoShagnasty]

A. Some kind of legislation.
B. Some kind of tax.
C. Some government backed costly certification.
D. A new, costly, proprietary AI tool
E. All of the above.

... that we can hurriedly slap in place to fix the internets!

Re:

[Tablizer]

F. Kick them in the duck

It was a sophisticated cyberattack

[zawarski]

Is an excuse I will never, ever, ever be able to use. Must be nice.

Why only 24 months of monitoring

[MeNeXT]

when the information that was stolen cannot be changed. This should be a lifetime of free monitoring even after you move to a new insurance company.

Re:

[nealric]

These "credit monitoring" services they offer with every data breach are completely worthless. So after you lost my personal information, your solution is to tell me to have a different third party monitor my information? It's a fig-leaf to avoid actually paying for damages.

I also get data breach notices on a close to annual basis these days. I'm sure the personal info of almost every adult in the Western world is out there on the dark web by now.

Re:

[FictionPimp]

I have a lifetime of monitoring. Every year someone gets breached and gives me monitoring.

Re:

[kmoser]

"Monitoring" is all but useless once a malicious actor opens a new account in your name. With persistence you may be able to reverse the damage to your credit, but you have to put in the effort yourself because the credit monitoring companies and credit reporting agencies sure won't do it of their own accord. And even if you manage to set the record straight, *somebody* has to pay for all the purchases made on the fraudulent credit cards obtained in your name before they were shut down. In the end, we all p

Too late

[Slashythenkilly]

6 months is way too long to let everyones' information be compromised without notice. They should be sued into oblivion just for that.

Re:

[eedwardsjr]

It happened on the 12. Reported on the 20th according to the summary. That's about a week. What do you meant 6 months?

Re:

[mrbester]

No, they took 6 months to publicise the event.
However, they still took over a week to disclose the breach to appropriate bodies, which I'm sure is 5 days more than it should have been. At least, that's what the law is in UK.

No one's said it yet?

[DaveyJJ]

Well then, I believe the correct response is ... F*ck a duck. LOL. I'll see myself out.

Palantir already has all of that information

[mspohr]

I don't think this will make our surveillance state any worse.

What does Aflac run on?

[Mirnotoriety]

Aflac runs primarily on the CrowdStrike Falcon platform for endpoint detection, identity protection, cloud security (including Falcon ASPM), and next-gen SIEM with AI tools like Charlotte AI.

Aflac Drives Consolidation with the Falcon Platform, Eliminating 15 Point Security Tools in Three Years [crowdstrike.com]

Is it not illegal to use SSN as authentication?

[rapjr]

Just enforce the law and part of this problem vanishes.