Estimated reading time: 3 minutes
Insurance giant Aflac will report its Q2 financial results on August 5th. Although its press release is silent on the topic, it seems likely the company cannot duck providing more detail on the cyber event 8-K it filed with the SEC last month disclosing “unauthorized access to its network.” The company has blamed the penetration on “social engineering,” or hacks where an attacker tricks an employee into providing a password or other means of penetrating the target’s IT system. Public reports link the Aflac incident to a hacker group that’s hit other insurers over recent months; see our report on the Scattered Spider incidents here.
Aflac Filed Cyber Event 8-K Disclosure on June 20th
Public companies must file 8-K reports on cyber security events within four working days of determining the event was “material.” Eight days after its hack, Aflac filed an 8-K report with the SEC:
“On June 12, 2025, Aflac Incorporated, a Georgia corporation (the “Company”), identified unauthorized access to its network. The Company promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours. The Company’s business remains operational, and its systems were not affected by ransomware. The Company continues to serve its policyholders as it responds to this incident and can underwrite policies, review claims, and otherwise service customers as usual. The Company has engaged leading third-party cybersecurity experts to support the Company’s response to the incident.
The Company has commenced a review of potentially impacted files. That review is in its early stages. The Company is unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. The Company anticipates notifying regulators and providing appropriate notifications to individuals affected by this incident. Individuals will be offered free credit monitoring and identity theft protection services.
At this time, the full scope and potential ultimate impact on the Company are not known.”
Insurer Provides More Details on Cyber Attack in Public Statement
While Aflac’s 8-K claimed the ultimate impact on the company was unknown, Aflac has revealed some more details in an undated statement on its Web site (similar information has been shared with its clients): “…(O)ur preliminary findings indicate that the unauthorized party used social engineering tactics to gain access to our network…While our teams work to review the potentially impacted data and determine the specific information involved, we are offering any individual who contacts our dedicated call center free credit monitoring and identity theft protection, and Medical Shield for 24 months.”
This announcement seems sure to have ruffled the feathers of some customers and their lawyers; litigation often follows such disclosures. We’ll probably learn more on August 5th, as it’s not uncommon for companies to follow a cyber event 8-K with more details in subsequent public filings and reports. See Lee Enterprises for a recent cyber disclosure example.
RELATED POSTS
