A major Aflac Japan data breach has exposed the personal, policy, and bank account information of approximately 4.38 million customers after attackers compromised systems belonging to the insurance giant’s Japanese subsidiary. The company says the incident affected only its operations in Japan and did not impact systems supporting its U.S. business.
The disclosure comes roughly one year after Aflac reported another cyberattack during a wave of intrusions targeting insurance companies across the United States.
Attackers Breached Aflac Japan Systems
American insurance provider Aflac revealed the breach in a filing with the U.S. Securities and Exchange Commission (SEC).
According to the company, an unauthorized third party gained access to systems operated by Aflac Japan between June 15 and June 25, 2026. Employees discovered the intrusion on June 25, prompting the company to launch its incident response procedures.
After detecting the attack, Aflac moved quickly to contain the breach. The company suspended several systems to prevent additional unauthorized access while continuing to provide insurance services to policyholders.
Aflac has also hired external cybersecurity experts to investigate the incident and determine exactly how the attackers gained access.
Aflac Japan Data Breach Exposed Sensitive Customer Information
Although investigators continue to examine the attack, Aflac Japan has already confirmed that the compromised systems stored highly sensitive customer information.
The exposed files contain policy and coverage details, personally identifiable information, and bank account information belonging to approximately 4.38 million customers.
Company officials have notified the Japan Financial Services Agency and other relevant authorities about the breach. Aflac also plans to contact affected individuals directly once it completes the investigation.
At this stage, the company says it has not determined the full scope of the incident or its long-term business impact.
U.S. Operations Were Not Affected
Aflac emphasized that the incident remained limited to its Japanese subsidiary.
According to the company, attackers did not access systems supporting its U.S. insurance business. While investigators continue their forensic analysis, Aflac says it has found no evidence that the breach spread beyond its operations in Japan.
The company continues to respond to the incident while working to restore affected systems and strengthen its security controls.
Second Major Aflac Cyberattack in a Year
The latest Aflac Japan data breach follows another significant security incident disclosed by the insurer last year.
During that attack, cybercriminals potentially accessed documents containing sensitive information related to customers, beneficiaries, employees, agents, and other individuals. Although Aflac never publicly identified the attackers, security researchers noted that the incident closely matched the tactics commonly associated with the Scattered Spider cybercrime group.
Scattered Spider has recently targeted multiple insurance companies, including Erie Insurance and Philadelphia Insurance Companies (PHLY), as part of a broader campaign against the sector.
The group has also collaborated with several ransomware operations, including Qilin, RansomHub, and DragonForce. Over the past few years, attackers linked to Scattered Spider have breached numerous high-profile organizations, including MGM Resorts, Caesars Entertainment, DoorDash, Twilio, Coinbase, Riot Games, Reddit, and Mailchimp.
The latest breach highlights the continued pressure facing insurance providers as financially motivated cybercriminals increasingly target organizations that store large volumes of valuable customer and financial data.


0 responses to “Aflac Japan Data Breach Exposes Personal and Bank Information of 4.38 Million Customers”