Skip to content
Data breachContained

Aflac Japan breach exposes personal data of 4.38 million customers and agents

Aflac disclosed that attackers who breached its Japanese subsidiary's policyholder portal exfiltrated the personal information of roughly 4.38 million customers and insurance agents.

Victim
Aflac Life Insurance Japan
records
4.4M
users
4.4M

On 30 June 2026, Aflac β€” the U.S.-based supplemental-insurance giant β€” disclosed that attackers had breached the systems of its Japanese subsidiary, Aflac Life Insurance Japan, and stolen the personal information of approximately 4.38 million customers and insurance agents. The company said the intrusion was confined to its operations in Japan and that systems supporting its U.S. business were not affected.

According to Aflac, an unauthorised third party gained access to the subsidiary's policyholder portal at multiple points between 15 and 25 June 2026, when the activity was detected. The exposed data includes names, addresses, phone numbers, dates of birth, gender, security information and insurance account details. A subset of roughly 230,000 people also had insurance-premium transfer account information exfiltrated, though the company said no credit card information was accessed.

Response

Upon discovering the intrusion on 25 June 2026, Aflac Japan suspended the affected systems to contain the incident and engaged third-party specialists to support the investigation. The company warned that the shutdown had disrupted several of its services while it worked to secure its environment, and said it would notify affected individuals and cooperate with regulators as its forensic review continued.

Why it matters

The breach is one of the larger disclosures in a wave of intrusions targeting major Japanese companies in June 2026. Aflac did not attribute the attack to a specific threat actor and did not detail how the attackers gained initial access; some security researchers have speculated that the incident may fit the pattern of activity associated with the Scattered Spider collective, which has repeatedly targeted large insurers, though no such link has been confirmed. For policyholders, the exposure of names, contact details, dates of birth and insurance account information creates a durable risk of targeted fraud and social-engineering long after the systems are restored.

Timeline

  1. Aflac Japan detects unauthorised access to its policyholder portal and suspends the affected systems.

  2. Aflac publicly discloses the breach, estimating that the personal data of about 4.38 million customers and agents was exfiltrated.

Sources

  1. therecord.mediahttps://therecord.media/japan-cyber-breaches-aflac-sapporo-nidec-kddi
  2. securityweek.comhttps://www.securityweek.com/aflac-japan-data-breach-impacts-4-38-million/
  3. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack/
  4. securityaffairs.comhttps://securityaffairs.com/194488/data-breach/hackers-steal-data-of-4-38-million-aflac-japan-customers.html

Related incidents

Data breachResolved

Zurich data breach (2023)

In January 2023, the Japanese arm of Zurich insurance suffered a data breach that exposed 2.6M customer records with over 756k unique email addresses. The data was subsequently posted to a popular hacking forum and also included names, genders, dates of birth and details of insured vehicles.

Victim
Zurich
Records
756.7K
Data breachUnknown

23,685 records: claimed leak at ATOA

A threat actor put a database from ATOA β€” a French real-estate tokenization and fractional-investment fintech β€” up for sale on a dark web forum, exposing roughly 23,685 user and financial records plus 326 full KYC archives containing passports, ID cards and banking details.

Victim
ATOA
Records
23.7K