Aflac Maintains Operations After Security Incident, Offers Free Credit Monitoring

Rhea-AI Filing Summary

Aflac disclosed a cybersecurity incident detected on June 12, 2025, where unauthorized access to its network was identified. The company contained the intrusion within hours, and importantly, no ransomware was involved. Business operations remain functional with normal customer service capabilities intact.

Key aspects of the security breach:

• Potentially compromised data includes claims information, health information, social security numbers, and personal information
• Affected parties may include customers, beneficiaries, employees, agents, and other U.S. business individuals
• Company has engaged third-party cybersecurity experts
• Will provide free credit monitoring and identity theft protection to affected individuals

The full scope and financial impact remain undetermined as the review is in early stages. The company will notify relevant regulators and affected individuals. This incident could pose legal, reputational, and financial risks, potentially leading to regulatory inquiries, enforcement actions, litigation, or business losses.

Positive

• Company successfully contained cybersecurity intrusion within hours of detection
• Core business operations remain functional - ability to underwrite policies, process claims, and service customers unaffected
• Systems were not impacted by ransomware, limiting potential operational disruption

Negative

• Data breach exposed sensitive customer information including SSNs, health data, and claims information for U.S. business
• Company will incur costs for credit monitoring and identity theft protection services for affected individuals
• Potential regulatory investigations, enforcement actions, and litigation risks from data breach
• Full scope and financial impact of the cybersecurity incident remains unknown

Insights

Cybersecurity Risk Analyst

Aflac disclosed a network breach potentially exposing sensitive data; business continues, but scope and costs remain uncertain.

Aflac's disclosure reveals a significant cybersecurity incident with potentially material implications. The company identified unauthorized network access on June 12, 2025, and reports containing the intrusion within hours. Several positive elements deserve mention: systems avoided ransomware infection, business operations remain functional, and customer service continues uninterrupted.

The potentially compromised data is concerning, however. The affected files may contain highly sensitive information including claims details, health records, social security numbers, and other personal data of customers, beneficiaries, employees, and agents. The scope remains undetermined as the company's review is in "early stages."

Aflac's response follows cybersecurity best practices: prompt containment, engagement of third-party experts, plans for regulatory notification, and offering free credit monitoring to affected individuals. These measures may mitigate reputational damage, but don't eliminate financial exposure.

The filing's explicit statement that "the full scope and potential ultimate impact on the Company are not known" creates material uncertainty. Data breach costs typically include forensic investigation, remediation, notification expenses, potential regulatory inquiries, and possible litigation. Similar incidents in the insurance sector have resulted in multi-million dollar expenses spanning several quarters. The absence of details on affected population size prevents precise impact assessment, but breaches involving health information and SSNs typically carry higher per-record costs and regulatory scrutiny.

0000004977false00000049772025-06-202025-06-200000004977exch:XNYS2025-06-202025-06-20

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d) of The Securities Exchange Act of 1934

Date of Report (Date of earliest event reported) June 20, 2025

Aflac Incorporated

_________________________________________________________________________________________________________________________________________________________

(Exact name of registrant as specified in its charter)

Georgia

001-07434

58-1167100

(State or other jurisdiction

(Commission

(IRS Employer

of incorporation)

File Number)

Identification No.)

1932 Wynnton Road

Columbus

Georgia

31999

(Address of principal executive offices)

(Zip Code)

706.323.3431

_________________________________________________________________________________________________________________________________________________________

(Registrant’s telephone number, including area code)

_________________________________________________________________________________________________________________________________________________________

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐			Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
☐			Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
☐			Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
☐			Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

Trading Symbol(s)

Name of each exchange on which registered

Common Stock, $.10 Par Value

AFL

New York Stock Exchange

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ¨

Item 8.01 Other Events.

On June 12, 2025, Aflac Incorporated, a Georgia corporation (the “Company”), identified unauthorized access to its network. The Company promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours. The Company’s business remains operational, and its systems were not affected by ransomware. The Company continues to serve its policyholders as it responds to this incident and can underwrite policies, review claims, and otherwise service customers as usual. The Company has engaged leading third-party cybersecurity experts to support the Company’s response to the incident.

The Company has commenced a review of potentially impacted files. That review is in its early stages. The Company is unable to determine the total number of affected individuals until that review is completed. The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information, related to customers, beneficiaries, employees, agents, and other individuals in its U.S. business. The Company anticipates notifying regulators and providing appropriate notifications to individuals affected by this incident. Individuals will be offered free credit monitoring and identity theft protection services.

At this time, the full scope and potential ultimate impact on the Company are not known.

FORWARD-LOOKING INFORMATION

The Private Securities Litigation Reform Act of 1995 provides a “safe harbor” to encourage companies to provide prospective information, so long as those informational statements are identified as forward-looking and are accompanied by meaningful cautionary statements identifying important factors that could cause actual results to differ materially from those included in the forward-looking statements. The company desires to take advantage of these provisions. This document contains cautionary statements identifying important factors that could cause actual results to differ materially from those projected herein, and in any other statements made by company officials in communications with the financial community and contained in documents filed with the Securities and Exchange Commission (SEC). Forward-looking statements are not based on historical information and relate to future operations, strategies, financial results or other developments. Furthermore, forward-looking information is subject to numerous assumptions, risks and uncertainties. In particular, statements containing words such as “expect,” “anticipate,” “believe,” “goal,” “objective,” “may,” “should,” “estimate,” “intends,” “projects,” “will,” “assumes,” “potential,” “target,” "outlook" or similar words as well as specific projections of future results, generally qualify as forward-looking. Factors that could cause actual results to differ materially from those expressed or implied include the Company’s discovery of additional information related to the incident, legal, reputational, and financial risks resulting from the incident, any potential regulatory inquiries, enforcement actions and/or litigation to which the Company may become subject in connection with the incident, any contract terminations, disputes or loss of business, and other additional costs that may be incurred by the Company in connection with the incident. Aflac undertakes no obligation to update such forward-looking statements.

1

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

						Aflac Incorporated
June 20, 2025						/s/ Robin L. Blackmon
						(Robin L. Blackmon)
						Senior Vice President, Financial Services
						Chief Accounting Officer

2

FAQ

What type of cybersecurity incident did AFL report in its June 2025 8-K filing?

According to the 8-K filing, Aflac Incorporated (AFL) identified unauthorized access to its network on June 12, 2025. The company contained the intrusion within hours, and its systems were not affected by ransomware. The business remains operational and can continue normal services including underwriting policies, reviewing claims, and servicing customers.

What customer data was potentially compromised in AFL's June 2025 security breach?

The potentially impacted files contain claims information, health information, social security numbers, and/or other personal information related to customers, beneficiaries, employees, agents, and other individuals in AFL's U.S. business. The total number of affected individuals is still under review and has not been determined.

What actions is AFL taking to address the June 2025 data breach?

AFL has taken several actions: 1) Engaged leading third-party cybersecurity experts to support the response, 2) Commenced a review of potentially impacted files, 3) Plans to notify regulators and affected individuals, and 4) Will offer free credit monitoring and identity theft protection services to affected individuals.

When did AFL discover and report the 2025 cybersecurity incident?

AFL discovered the unauthorized network access on June 12, 2025, and filed the 8-K report on June 20, 2025. The company states it contained the intrusion within hours of discovery.

What are the potential risks AFL disclosed regarding the June 2025 cybersecurity incident?

AFL disclosed several potential risks including: legal, reputational, and financial risks; possible regulatory inquiries and enforcement actions; potential litigation; contract terminations; disputes or loss of business; and additional costs that may be incurred in connection with the incident. The company noted that the full scope and potential ultimate impact are not yet known.