Cybersecurity Threats in Insurance: Lessons from the Aflac Breach

As part of what appears to be a broader campaign targeting US insurers during June, Aflac – the market’s largest provider of supplemental insurance – disclosed a cybersecurity incident involving unauthorized access to sensitive customer data.¹ The attack underscores the ongoing imperative to bolster defenses, prioritize non-technical safeguards, and reassess cybersecurity readiness in an evolving threat landscape. 

Early investigations into the breach of Aflac’s systems point to the deployment of social engineering tactics by Scattered Spider, a prolific threat group.¹ Aflac has responded promptly, reporting they have contained the breach and are offering protection and remediation services to affected individuals.¹ 

The Aflac breach spotlights a critical reality: the insurance industry remains a prime target for sophisticated cybercriminals in an evolving threat landscape.² Managing vast repositories of sensitive data, personal, financial, and medical, insurers are attractive to threat actors seeking high-value information. 

The wave of incidents targeting US insurers, Aflac, Erie Insurance, and Philadelphia Insurance in June reveals a shift in attackers’ tactics, with an increasing focus on exploiting the human layer rather than relying solely on technical vulnerabilities.² By leveraging phishing, impersonation, and pretexting, they exploit trust inherent in business processes, making the human element both a vulnerability and a critical line of defense.²

While technical controls like access controls and encryption remain vital, these incidents highlight the need for robust non-technical defenses as well to protect sensitive data and uphold customer trust.⁴

As seen from this recent spate of attacks, breaches exploiting human error pose unique risks.² Non-technical defenses are essential to complement traditional cybersecurity measures. 

Voice verification can authenticate users during sensitive interactions, reducing the risk of impersonation.⁴

Procedural rigor in help desk workflows, particularly for credential resets and support escalations, can prevent attackers from exploiting these processes, which are common entry points in social engineering attacks.²

Zero trust access models, which assume no user or device is inherently trustworthy, provide a robust layer of protection. By requiring continuous verification, these models limit the impact of compromised credentials. 

Additionally, User and Entity Behavioral Analytics (UEBA) and AI-based anomaly detection systems can identify irregular patterns, such as unusual login attempts or data access requests, in real time, enabling rapid response. These measures transform the human layer into a proactive defense, aligning with our clients’ missions to deliver secure, resilient services for insurers.

The Aflac breach serves as a catalyst for insurance leaders to evaluate their cybersecurity preparedness. We recommend addressing the following four questions:

1. How effective are current systems in detecting and disrupting socially engineered access attempts in real time?
   Social engineering attacks exploit trust quickly, often before defenses can respond.² Insurers must evaluate whether monitoring systems, technical and procedural, can identify and halt these attempts as they occur. Real-time detection frameworks can help strengthen this capability.
   
   
2. Are internal protocols, particularly for credential resets and support escalation, designed to counter advanced impersonation tactics?
   Help desk processes are frequent targets for impersonation.² Protocols should incorporate multi-factor authentication, voice verification, or other identity safeguards.⁴ Consulting and security services can support audits and simulations to identify and address gaps in these workflows.
   
   
3. Have incident response plans, encompassing both technical and business functions, been recently tested?
   A comprehensive incident response plan requires regular testing.⁴ Capco recommends cross-functional drills simulating real-world breaches to ensure IT, legal, and communications teams are aligned and prepared to act decisively.
   
   
4. Do governance, escalation, and regulatory reporting processes align with expectations across all jurisdictions and regulators, including NYDFS, NAIC Model Laws 668 & 672, and state-level breach notification laws?
   Compliance is paramount in insurance. Governance structures should meet standards like the New York Department of Financial Services (NYDFS) cybersecurity regulations, NAIC Model Laws, and state-level breach notification requirements.³
   
   

The June insurance industry breaches demonstrate that no insurer is immune to sophisticated cyber threats.² 

Resilience requires a multi-layered approach: investing in employee training, adopting zero trust principles, and leveraging data and AI-driven anomaly detection to mitigate risks at the human layer. Regular testing of incident response plans and alignment with regulatory frameworks ensure preparedness and compliance.³ 

Insurance leaders must act decisively asking critical questions, addressing vulnerabilities, and fostering a culture of vigilance. By learning from incidents like Aflac’s, the industry can transform challenges into opportunities to lead in security and privacy. 

Capco’s Security Services team is committed to partnering with insurers to navigate these challenges, offering tailored solutions to strengthen defenses and protect customer trust. Connect with our experts to explore how we can support your organization in building a secure, future-ready cyber program.

References
¹ https://newsroom.aflac.com/0-06-0-Aflac-Incorporated-Discloses-Cybersecurity-Incident
² www.ibm.com/reports/data-breach 
³ www.dfs.ny.gov/industry_guidance/cybersecurity
⁴ www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business