American insurance company Chubb, personal information of 22,650,000 people leaked… security alert has been raised

American insurance company AFLAC (Aflac) officially announced that a cyber attack in June led to the leakage of personal information of up to 22,650,000 people. This is one of the largest hacker incidents reported in the U.S. insurance industry this year, especially because it includes health and medical information, which is expected to cause significant repercussions.
Aflac stated that it initially discovered unauthorized access to part of its U.S. network on June 12 and immediately hired external security experts, reported to law enforcement, and took countermeasures. This attack was not accompanied by ransomware and did not cause any business interruption. However, it has been confirmed that the files stolen by the hackers contained a large amount of personal identity information.
The leaked data includes information about customers, current/former employees, insurance beneficiaries, and cooperative agents. It is reported that it not only involves names, birth dates, contact information, and social security numbers, but also sensitive content such as health and insurance claim information. Some cases even contain government-issued identification information, which could cause greater harm.
Aflac stated that as of now, no fraudulent activities utilizing the stolen information have been discovered, but in order to prevent potential damage, they have begun notifying victims and relevant regulatory agencies. At the same time, the company plans to offer free identity protection services for up to 24 months, including credit monitoring, identity theft protection, and medical fraud detection.
Although the mastermind behind this attack has not been formally identified, cybersecurity experts suggest that it may have been carried out by a hacker organization known as 'Scattered Spider.' This organization has been active since 2022, continuously targeting the insurance, healthcare, and retail sectors, and has a record of collaborating with the ALPHV/BlackCat ransomware group.
Scattered Spider primarily employs voice social engineering attacks targeting IT administrators, using sophisticated methods such as mimicking the victim's voice or impersonating new employees to gain access. They establish intrusion paths through trading others' login information, eavesdropping, SMS phishing, phone call forwarding, and SIM card swapping.
Tim Rawlins, a security consultant at NCC Group, analyzed: 'The insurance industry has experienced multiple significant security incidents this year. With the strengthening of backup systems, the demands for ransom payment for decryption have decreased, but the use of leaked information to extort money is spreading.' He further warned: 'Such publicly threatening data attacks are likely to become the new standard for future cyberattacks.'
Since 2025, cyberattacks targeting the healthcare and insurance sectors have been increasing, and the Aflac incident is expected to serve as a wake-up call for the security systems of the entire industry. Industry insiders generally believe that strengthening security education for internal employees and enhancing real-time monitoring systems will be crucial in the future.