Cybercriminals have breached insurance giant Aflac, potentially stealing Social Security numbers, insurance claims and health information, thecompany saidFriday, the latest in a spree of hacks against the insurance industry.
With billions of dollars in annual revenue and tens of millions of customers, Aflac is the biggest victim yet in the ongoing digital assault on US insurance companies that has the industry on edge and the FBI and private cyber experts scrambling to contain the fallout.
Erie Insurance and Philadelphia Insurance Companies have also reported hacks this month, which in those cases have caused widespread disruptions to IT systems used to serve customers. All three insurance-company hacks are consistent with the techniques of a young and rampant cybercrime group known as Scattered Spider, people familiar the investigation tell CNN.
“This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group,” Aflac said in a statement on Friday, without naming Scattered Spider. Aflac said it “stopped the intrusion within hours” after discovering it last week, that no ransomware was deployed, and that it continues to serve its customers.
It was too early to tell, the company said, how much customer information may have been stolen, but the potential exposure is vast. Aflac is one of the largest providers of supplemental health insurance in the US for medical expenses that aren’t covered by a primary provider.
The hackers used “social engineering” to worm their way into its network, according to Aflac. That tactic can involve duping someone into revealing security information to help gain access to a network. It’s a hallmark of Scattered Spider attackers, who are known to pose as tech support to infiltrate big corporations.
The loose group of cybercriminals is considered dangerous and unpredictable, in part because it is believed to be comprised of youths in the US and the UK known for aggressively extorting their victims. Scattered Spider shot to infamy inSeptember 2023when they were linked to a pair of multimillion-dollar hacks on famous Las Vegas casinos and hotels MGM Resorts and Caesars Entertainment.
The hackers’ tactics, and the way they target big swaths of American industries at a time, has cybersecurity executives pleading with companies to be wary of suspicious phone calls to their employees. Just last month, they were suspects in multiple cyberattacks on American retail companies.
“If Scattered Spider is targeting your industry, get help immediately,” said Cynthia Kaiser, who until last month was deputy assistant director of the FBI’s Cyber Division and oversaw FBI teams investigating the hackers. “They can execute their full attacks in hours. Most other ransomware groups take days.”
Scattered Spider often registers web domains that look very much like trusted help desks that companies use for IT support, the cybersecurity firm Halcyon, where Kaiser now works, says in a forthcoming report.
While concerns about Iranian cyber capabilities are in the news because of the Israel-Iran war, “the threat I lose sleep over is Scattered Spider,” said John Hultquist, chief analyst at Google’s Threat Intelligence Group. “They are already taking food off shelves and freezing businesses. The Iranian hackers may not even have Internet access, but these kids are in play right now.”