The cyberattack disclosed by insurance giant Aflac in June 2026 – which exposed data belonging to nearly 22.7 million customers, beneficiaries, employees, and agents – is more than another entry on a long list of breaches. It is a clear signal of how the economics of cybercrime are changing, and why every business, regardless of size, needs to rethink what “being attacked” actually looks like in 2026.

From locked files to stolen secrets

For years, the defining image of a cyberattack was ransomware: files scrambled, a countdown timer, a demand for payment in exchange for a decryption key. That model is fading. Increasingly, attackers skip the encryption step entirely and go straight for the data – quietly copying sensitive records and then threatening to publish them unless they are paid.

The Aflac incident fits the pattern. Threat actors reportedly accessed documents containing insurance claims, Social Security numbers, and health details before the intrusion was contained within hours. The damage was not that systems went dark; it was that confidential information left the building.

Why extortion-only attacks are spreading

The shift makes grim business sense for criminals. Encrypting an entire network is noisy, technically complex, and increasingly likely to trigger defences before the job is done. Stealing data is simpler, faster, and just as profitable – the leverage comes from the threat of exposure rather than the loss of access. For the victim, the consequences are regulatory fines, reputational harm, and the near-impossibility of “undoing” a leak once data is out.

What this means for your organisation

If the value of an attack is now the data itself, then protecting that data – not just keeping systems running – becomes the priority. A few principles matter more than ever:

• Collect and keep less. Data you do not store cannot be stolen. Regularly review what you hold and delete what you no longer need.
• Encrypt at rest and in transit. Stolen data that is properly encrypted is far less useful to an attacker.
• Watch for exfiltration. Monitoring should flag unusual outbound data flows, not just inbound intrusions.
• Plan for disclosure, not just recovery. Your incident response plan should assume data has left your environment and address legal, regulatory, and customer-communication steps.

How Data Mammoth helps

At Data Mammoth, we help businesses move from a recovery-first mindset to a data-protection-first one – with monitoring that catches data leaving before it becomes a headline, encryption built into the architecture, and incident response plans that hold up under real pressure. The criminals have changed their playbook. Your defences should too.

Talk to our security team

Related services: Application Security and Managed IT Services.