Aflac Japan breach exposes personal data of 4.38 million customers and agents
Aflac disclosed that attackers who breached its Japanese subsidiary's policyholder portal exfiltrated the personal information of roughly 4.38 million customers and insurance agents.
- Victim
- Aflac Life Insurance Japan
- records
- 4.4M
- users
- 4.4M
On 30 June 2026, Aflac β the U.S.-based supplemental-insurance giant β disclosed that attackers had breached the systems of its Japanese subsidiary, Aflac Life Insurance Japan, and stolen the personal information of approximately 4.38 million customers and insurance agents. The company said the intrusion was confined to its operations in Japan and that systems supporting its U.S. business were not affected.
According to Aflac, an unauthorised third party gained access to the subsidiary's policyholder portal at multiple points between 15 and 25 June 2026, when the activity was detected. The exposed data includes names, addresses, phone numbers, dates of birth, gender, security information and insurance account details. A subset of roughly 230,000 people also had insurance-premium transfer account information exfiltrated, though the company said no credit card information was accessed.
Response
Upon discovering the intrusion on 25 June 2026, Aflac Japan suspended the affected systems to contain the incident and engaged third-party specialists to support the investigation. The company warned that the shutdown had disrupted several of its services while it worked to secure its environment, and said it would notify affected individuals and cooperate with regulators as its forensic review continued.
Why it matters
The breach is one of the larger disclosures in a wave of intrusions targeting major Japanese companies in June 2026. Aflac did not attribute the attack to a specific threat actor and did not detail how the attackers gained initial access; some security researchers have speculated that the incident may fit the pattern of activity associated with the Scattered Spider collective, which has repeatedly targeted large insurers, though no such link has been confirmed. For policyholders, the exposure of names, contact details, dates of birth and insurance account information creates a durable risk of targeted fraud and social-engineering long after the systems are restored.
Timeline
Aflac Japan detects unauthorised access to its policyholder portal and suspends the affected systems.
Aflac publicly discloses the breach, estimating that the personal data of about 4.38 million customers and agents was exfiltrated.
Sources
- therecord.mediahttps://therecord.media/japan-cyber-breaches-aflac-sapporo-nidec-kddi
- securityweek.comhttps://www.securityweek.com/aflac-japan-data-breach-impacts-4-38-million/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack/
- securityaffairs.comhttps://securityaffairs.com/194488/data-breach/hackers-steal-data-of-4-38-million-aflac-japan-customers.html