Insurance giant Aflac reported today that it was hit by a cyberattack on June 12 but was able to stop the intrusion “within hours.”
Aflac detailed the incident in an SEC filing and press release today. The company didn’t name the suspected attacker but said in the press release that “This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group. This was part of a cybercrime campaign against the insurance industry.”
The Aflac breach disclosure came days after reports that the Scattered Spider threat group was pivoting from retail attacks to a campaign targeting the insurance industry.
Other recent insurance industry cyber incidents have targeted Erie Insurance and Philadelphia Insurance Companies, among others.
Aflac Breach Began with Social Engineering
Aflac said it has engaged third-party cybersecurity experts to help with its response and investigation, and noted that the preliminary investigation suggests that the attackers “used social engineering tactics to gain access to our network.”
The insurance company said that its business remains operational and its systems were not affected by ransomware, but the company suggested that hackers may have been able to access some sensitive data.
“[W]e have commenced a review of potentially impacted files,” Aflac said. “It is important to note that the review is in its early stages, and we are unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in our U.S. business.”
Aflac said that even though the investigation is ongoing, it is offering any individual who contacts the company’s dedicated call center free credit monitoring, identity theft protection, and Medical Shield for 24 months.
The SEC filing said Aflac plans to notify regulators and provide “appropriate notifications to individuals affected by this incident. … At this time, the full scope and potential ultimate impact on the Company are not known.”
Defending Against Scattered Spider
After Scattered Spider-linked retail incidents in the UK last month, the UK’s National Cyber Security Centre issued guidance for protecting operations from cyberattacks. Those steps include:
- Comprehensive use of multi-factor authentication
- Monitoring for signs of account misuse, such as “risky logins” within Microsoft Entra ID Protection
- Monitoring Domain Admin, Enterprise Admin, and Cloud Admin accounts and making sure that any access is legitimate
- Review helpdesk password reset processes, including procedures for authenticating staff credentials before resetting passwords
- Making sure that security operation centers can identify suspicious logins, such as from VPN services in residential ranges
- Following tactics, techniques, and procedures sourced from threat intelligence
Google recently issued an advisory looking at Scattered Spider’s vishing attack techniques, or voice-based social engineering, which has included calling corporate service desks and “impersonating employees to have credentials and multi-factor authentication (MFA) methods reset.”
