Aflac Japan Data Breach Impacts 4.38 Million Individuals

What Happened

Aflac Life Insurance Japan, a subsidiary of the insurance industry giant Aflac, has disclosed a massive data breach affecting millions of its customers. According to an official announcement made on June 30, 2026, unidentified cyberattackers infiltrated the company's systems, compromising the sensitive data of approximately 4.38 million customers and agents. This development was also confirmed through an official filing with the U.S. Securities and Exchange Commission (SEC), which underscores the severity of the incident and the company's legal obligation to report it.

According to the company's statement, the cyberattack first occurred on June 15. The attackers maintained access to the systems repeatedly for a full ten days, until June 25, when the breach was finally discovered. This ten-day window provided the attackers with ample time to identify, aggregate, and exfiltrate data from the company's network. Aflac Japan stated that it took immediate action upon discovering the breach. The statement noted, "Upon identifying the unlawful access, Aflac Japan promptly took steps designed to contain the incident and prevent further intrusion, including suspending certain systems." However, it's clear that this intervention came after the data had already been stolen.

What Data Was Exposed

The scope of the compromised data highlights the seriousness of the situation. Aflac Japan confirmed that the cyberattackers specifically exfiltrated data from its policyholder portal. The stolen personal information includes several critical items:

• Full Names: Essential information for identity verification and social engineering attacks.
• Addresses: Can be used for targeted fraud and poses physical security risks.
• Phone Numbers: A primary target for SMS-based phishing (smishing) and fraudulent calls (vishing).
• Dates of Birth: A key piece of data frequently used in identity theft and to compromise other accounts.
• Gender: Used to enrich profiles and create more convincing fake identities.
• Security Information: Critical data for portal access, such as passwords, security questions, and answers.
• Insurance Account Information: Sensitive, personalized data like policy details and coverage information.

In addition to this general list, a more specific and direct financial risk emerged. The company disclosed that the bank account information used for insurance premium transfers of roughly 230,000 people was also exfiltrated. This puts affected customers at direct risk of financial fraud and unauthorized fund transfer attempts. As a small consolation, Aflac Japan stated that the attackers did not access any credit card information. However, the risks posed by the combination of all other stolen data remain exceptionally high. The company also noted that the types of exposed information vary by individual and has committed to sending a notification letter to each customer with specific details about their case.

How Did the Attack Happen

The statements released by Aflac Japan have provided limited technical details about the attack. The most definitive information is that the attackers targeted the company's policyholder portal and exfiltrated data through this system. However, how the attackers gained initial access—whether through a software vulnerability, stolen credentials, or a phishing attack—has not yet been clarified.

The company announced that it has engaged a third-party cybersecurity firm to conduct a comprehensive investigation to determine the root cause and full scope of the attack. As the investigation is ongoing, no official statement has been made regarding the attack vector, the tools used, or the specific vulnerabilities exploited. In large-scale incidents like this, investigations can take weeks or even months, with definitive findings often shared only after the process is complete. Therefore, critical questions, such as how the attackers breached the perimeter and how they remained undetected for ten days, remain unanswered for now.

Who Is Affected

The number of individuals directly affected by the data breach was stated to be 4.38 million. This figure includes not only insurance policyholders but also Aflac Japan agents, which broadens the impact of the breach. While customers face the risk of their personal and financial data being stolen, agents may face professional and personal challenges related to the exposure of both their own information and that of the clients they manage.

Aflac specifically emphasized that the breach is limited to its Japan operations and that the systems of the parent company in the U.S. or other international subsidiaries were not affected. This at least means the damage is geographically contained. Nevertheless, a figure of 4.38 million could make this one of the largest insurance data breaches in Japan's history. Customers will have to wait for the official notification letter from the company to learn exactly which of their data was compromised.

What You Can Do

If you are an Aflac Japan customer or agent, it is important to take proactive steps to protect yourself against the possibility that your data was compromised:

• Be Wary of Phishing Attacks: Cybercriminals can use stolen information like your name, address, and policy number to craft highly convincing emails, text messages, or phone calls. Be skeptical of any communication claiming to be from Aflac that requests urgent password resets, additional information, or warns of suspicious activity. Never click on unsolicited links or share personal information.
• Monitor Your Accounts: Keep a close eye on the activity of your bank account, especially the one used for premium payments. Report any suspicious or unrecognized transactions to your bank immediately.
• Change Your Passwords: Immediately change the password you use for the Aflac Japan portal. If you use the same password on other platforms, this is a major security risk. You should urgently update the passwords for all those accounts with different, strong combinations.
• Wait for Official Notification: Aflac Japan has stated it will send a letter to each victim detailing their specific situation. This letter will contain the most accurate information about what data of yours was exposed. Wait for this official communication before panicking.
• Check Your Overall Exposure: Incidents like this are a reminder of how scattered our data can be. You can use a Data Breach Search tool to see if your information has appeared in other breaches. It's also wise to follow reliable Data Breach News sources to stay informed about the latest developments in the cybersecurity world.

What the Company Is Saying

Aflac is attempting to maintain a transparent stance in its response to the incident. The company's SEC filing and the FAQ section published on its Japanese website are part of its effort to explain the situation to the public and its customers. According to the company, at least five services have been temporarily suspended as a result of the breach. There is no clear timeline for when these services will be restored, indicating that the company's operations have also been significantly impacted.

Aflac Japan has stated that it has notified the relevant authorities as required by law and is fully cooperating with them in the investigation. The findings of the internal investigation, supported by third-party cybersecurity experts, will determine the steps to be taken to prevent similar incidents in the future. The company's core message to its customers emphasizes that it is working to contain the situation and inform those affected. However, it is clear that regaining the trust of millions of people will be a long and challenging process.

Source

https://www.securityweek.com/aflac-japan-data-breach-impacts-4-38-million/