U.S. insurance group Aflac has started notifying about 22.65 million customers whose personal information was stolen in a cyberattack disclosed earlier this year, one of the largest data breaches to hit the insurance sector.
The company confirmed on Tuesday that the notifications follow a June disclosure in which it said hackers had accessed customer data, including Social Security numbers and health information, but did not then quantify the number of people affected.
In a filing with the Texas attorney general, Aflac said the compromised data includes customer names, dates of birth and home addresses, along with government issued identification such as passports, state ID cards and driver’s license numbers. The breach also exposed Social Security numbers and medical and health insurance information.
A separate filing with the Iowa attorney general said the cybercriminals behind the attack “may be affiliated with a known cyber-criminal organization; federal law enforcement and third-party cybersecurity experts have indicated that this group may have been targeting the insurance industry at large.”
According to TechCrunch, the description aligns with Scattered Spider, a loosely organized collective of primarily young, English speaking hackers that has been linked to a wave of cyberattacks against insurers around the same period.
The company says it serves about 50 million customers worldwide, according to its website. The breach comes amid a broader surge in cyber incidents across the insurance industry, with Erie Insurance and Philadelphia Insurance Companies also reporting attacks, highlighting growing vulnerabilities as insurers hold vast amounts of sensitive personal and health data.
