Another cyberattack has put millions of insurance records at risk.
Insurance giant Aflac has reported a data breach on its network in Japan. The company noted that attackers gained unauthorized access to its policyholder portal between June 15 and June 25, potentially affecting about 4.38 million customers and insurance agents. The insurer has since engaged outside cybersecurity specialists to investigate.
The company says the exposed information affects personal and financial data, while stressing that there is currently no evidence of fraudulent use. The disclosure adds to a growing list of cyberattacks targeting insurers, highlighting the sector’s continued appeal to threat actors.
Timeline of Aflac’s latest breach
The company says the intrusion began on June 15 with attackers maintaining persistent access for 10 days before the insurer detected unusual activity on June 25. According to the company, a “high load status on the information processing unit (CPU)” on the morning of June 25 triggered an investigation, which found that customer information may have been accessed repeatedly during that period.
In response, Aflac isolated affected systems and services and said it will begin notifying customers whose information was compromised. The insurer also reported the breach to Japanese authorities and the US Securities and Exchange Commission (SEC), although Aflac says the incident did not affect US customer data.
Investigations continue as the full scope remains uncertain
Aflac estimates that about 4.38 million customers and insurance agents were affected but frames that figure as likely to change as the investigation continues.
Based on current findings, the exposed information varies by individual and includes personal and contact details, insurance policy information, and banking records. About 230,000 customers also have their insurance premium transfer account information exposed. Aflac says no credit card information was compromised.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
A surge in insurance-related cyberattacks
A year ago, the company’s US systems fell victim to a cyberattack that was later discovered to have impacted 22 million customers.
On the surface, this looks like an Aflac-only story, but it extends beyond the company to an insurance industry trend. Bleeping Computer reports that the same threat group (Scattered Spider), suspected of having compromised Aflac last year, has also attacked other insurance companies. Two highlighted incidents were from Erie Insurance and Philadelphia Insurance Companies.
The string of attacks suggests insurers remain attractive targets because they store large volumes of lasting information that can be exploited for fraud, extortion, or highly targeted phishing campaigns.
What customers should know
Aflac says it has not confirmed fraudulent use of the exposed data, but customers should still treat the incident as an active risk. Personal, policy, and banking details can help scammers craft messages that appear legitimate, especially when they reference real insurance accounts, payment information, or customer service issues.
Affected customers should watch for unexpected emails, texts, or calls claiming to be from Aflac or another insurer. Do not click links or provide account details through unsolicited messages. Instead, go directly to Aflac’s official website or contact the company through a verified phone number.
Customers whose banking information may have been exposed should monitor account activity closely and report suspicious transactions to their bank. It may also be worth enabling account alerts, updating passwords, and using multifactor authentication where available.
The larger warning applies beyond Aflac. Insurance records can contain sensitive personal information, so readers should remain alert to follow-up phishing attempts even after the initial breach notification period ends.
Related reading: For more on Japan’s recent breach risks, read our coverage of KDDI’s breach affecting up to 14.2 million ISP email accounts.