When you hear the name Aflac, you, probably like me, hear the quacking duck from their commercials. Unfortunately, however the recently announced data breach at Aflac is no quacking matter.

Aflac disclosed on June 20th that it had suffered a data breach that may have compromised sensitive personal information held by the company, which offers a wide range of insurance products to millions of people. According to Aflac, it noticed suspicious activity on its networks on June 12th and is now in the early stages of investigating the extent of the data breach with the help of outside cybersecurity experts. Aflac’s press release states that it did not find evidence of ransomware, but doesn’t yet know the extent of the data breach which may include social security numbers and other sensitive information.

It is believed that the data breach was the work of the infamous hacking group called Scattered Spider which focuses its efforts on one specific industry at a time, often using ransomware. The September 2023 ransomware attacks on MGM Resorts and Caesars Entertainment were attributed to Scattered Spider.

Now, according to the Google Threat Intelligence Group, Scattered Spider is targeting the insurance industry. Earlier this month Erie Insurance suffered a data breach attributed to Scattered Spider. Google Threat Intelligence Group chief analyst John Hulquist warned “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes, which target their help desks and call centers.”

Scattered Spider is thought to be made up of English-speaking Americans and British hackers. In 2024 four Americans and one British national were indicted on cybercriminal charges related to activities of Scattered Spider.

Social engineering is the cornerstone of the crimes of Scattered Spider and, according to Aflac, was how their data breach was accomplished. The hackers of Scattered Spider have been known to call IT support posing as employees of the company they are targeting and convince the IT support staff to reset passwords or multi-factor authentication.

Scattered Spider also attacks Managed Service Providers which are third-party companies that remotely manage the network and infrastructure systems for companies. Often these Managed Service Providers are a weak link in a company’s security. Additionally, Managed Service Providers provide their services to many customers so breaching their security turns into one stop shopping for hackers targeting multiple companies.

Alfac is offering free credit monitoring and identity theft insurance to its customers for two years. If you are an Aflac customer and wish to get those free benefits, you should call Aflac’s Call Center at 1-855-0305.

Potential victims of this data breach should also freeze their credit if they have not already done so. Freezing your credit is something everyone should do. It is free and easy to do. It protects you from someone using your identity to obtain loans or make large purchases even if they have your Social Security number. If you have not already done so, put a credit freeze on your credit reports at all of the major credit reporting agencies. Here are links to each of them with instructions about how to get a credit freeze:

Equifax

TransUnion

Experian

Everyone also should monitor their credit reports regularly for indications of identity theft. The three major credit reporting agencies now provide free weekly access to your credit reports so you can monitor your credit reports easily on your own. Here is the only link to use to get your free credit report.

Finally, be wary of anyone who calls you purporting to help you in regard to this or any other data breach who asks for personal information regarding a data breach as that is a favorite tactic of hackers to lure you into providing additional personal information that can lead to your becoming a victim of identity theft. Also, as always, never click on a link or download an attachment to an email or text message unless you have absolutely confirmed that it is legitimate and don’t provide personal information in response to an email, text message or phone call unless you have absolutely confirmed that the communication was legitimate.