Aflac Data Breach: Over 4M Customers in Japan May Be at Risk

Aflac Data Breach: Over 4M Customers in Japan May Be at Risk

Aflac Data Breach: Over 4M Customers in Japan May Be at Risk

Image: ChatGPT

Aflac says a data breach in Japan may affect 4.38 million customers and agents, exposing personal, policy, and some banking information.

Jul 1, 2026

Another cyberattack has put millions of insurance records at risk.

Insurance giant Aflac has reported a data breach on its network in Japan. The company noted that attackers gained unauthorized access to its policyholder portal between June 15 and June 25, potentially affecting about 4.38 million customers and insurance agents. The insurer has since engaged outside cybersecurity specialists to investigate.

The company says the exposed information affects personal and financial data, while stressing that there is currently no evidence of fraudulent use. The disclosure adds to a growing list of cyberattacks targeting insurers, highlighting the sector’s continued appeal to threat actors.

Timeline of Aflac’s latest breach

The company says the intrusion began on June 15 with attackers maintaining persistent access for 10 days before the insurer detected unusual activity on June 25. According to the company, a “high load status on the information processing unit (CPU)” on the morning of June 25 triggered an investigation, which found that customer information may have been accessed repeatedly during that period.

In response, Aflac isolated affected systems and services and said it will begin notifying customers whose information was compromised. The insurer also reported the breach to Japanese authorities and the US Securities and Exchange Commission (SEC), although Aflac says the incident did not affect US customer data.

Investigations continue as the full scope remains uncertain

Aflac estimates that about 4.38 million customers and insurance agents were affected but frames that figure as likely to change as the investigation continues.

Based on current findings, the exposed information varies by individual and includes personal and contact details, insurance policy information, and banking records. About 230,000 customers also have their insurance premium transfer account information exposed. Aflac says no credit card information was compromised.

Must-read security coverage

Advertisement

A year ago, the company’s US systems fell victim to a cyberattack that was later discovered to have impacted 22 million customers.

On the surface, this looks like an Aflac-only story, but it extends beyond the company to an insurance industry trend. Bleeping Computer reports that the same threat group (Scattered Spider), suspected of having compromised Aflac last year, has also attacked other insurance companies. Two highlighted incidents were from Erie Insurance and Philadelphia Insurance Companies.

The string of attacks suggests insurers remain attractive targets because they store large volumes of lasting information that can be exploited for fraud, extortion, or highly targeted phishing campaigns.

What customers should know

Aflac says it has not confirmed fraudulent use of the exposed data, but customers should still treat the incident as an active risk. Personal, policy, and banking details can help scammers craft messages that appear legitimate, especially when they reference real insurance accounts, payment information, or customer service issues.

Affected customers should watch for unexpected emails, texts, or calls claiming to be from Aflac or another insurer. Do not click links or provide account details through unsolicited messages. Instead, go directly to Aflac’s official website or contact the company through a verified phone number.

Customers whose banking information may have been exposed should monitor account activity closely and report suspicious transactions to their bank. It may also be worth enabling account alerts, updating passwords, and using multifactor authentication where available.

The larger warning applies beyond Aflac. Insurance records can contain sensitive personal information, so readers should remain alert to follow-up phishing attempts even after the initial breach notification period ends.

Related reading: For more on Japan’s recent breach risks, read our coverage of KDDI’s breach affecting up to 14.2 million ISP email accounts.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.