VYPR
breachPublished Jul 1, 2026· 1 source

Aflac Japan Hit by Second Major Data Breach, Exposing Millions of Customers

Aflac Japan has detected a hacking incident that potentially exposed the personal and financial information of nearly 4.4 million customers and agents, marking the insurance giant's second significant data breach in just over a year.

Aflac's Japanese life insurance subsidiary has disclosed a significant data breach that may have exposed the personal and financial details of approximately 4.4 million customers and agents. The incident, detected on June 25, involved unauthorized access to IT systems in Japan, with the first instance of intrusion occurring on June 15. This marks the second major hacking incident for Aflac within a little over a year, raising concerns about the company's data security posture.

The breach was reported to the U.S. Securities and Exchange Commission (SEC) by the Georgia-based insurer. Aflac stated that while the investigation is ongoing, certain impacted files contain policy and coverage details, personal information, and bank account information. The company has notified the Japan Financial Services Agency and other relevant authorities, and plans to inform affected individuals. A dedicated breach notice and FAQ page on Aflac Japan's local website further detailed that 4.38 million individuals were affected, including 230,000 whose insurance premium transfer account information was leaked.

According to Aflac Japan, the intrusion was detected due to unusually high load on an information processing unit. The investigation revealed that third parties illegally viewed and leaked customer and agent personal details through systems like "Aflac Yoroiso Net." The company confirmed multiple unauthorized access incidents between June 15 and June 25. The exact cause and full scope of the impact are still under investigation, with Aflac Japan considering recurrence prevention measures from both technical and administrative perspectives.

In response to the incident, Aflac Japan has suspended certain systems and services supporting its "Yoriso Net" portal for policyholders. These include services for comprehensive medical checkups, fertility concierge, online budgeting, and an AI support concierge. The restoration of these services is contingent on confirming their safety. The leaked information varies depending on the accessed system, but could include names, dates of birth, addresses, phone numbers, policy numbers, coverage details, and bank account information for premium transfers.

This latest incident follows a previous major data breach disclosed by Aflac in June 2025, which affected nearly 22.7 million people and compromised sensitive data including Social Security numbers and health information. That earlier attack was part of a "sophisticated cybercrime campaign" targeting insurers, with security researchers speculating that the Scattered Spider group was behind it, along with attacks on other large U.S. insurers like Erie Insurance and Philadelphia Insurance Companies.

Aflac has explicitly stated that the current Aflac Japan incident has no connection to the 2025 breach affecting its U.S. business systems. However, the recurrence of such a large-scale breach highlights persistent challenges in securing sensitive customer data. Experts note that multinational corporations are often viewed as single entities with multiple entry points, and attackers may pivot to overseas branches if the main network is heavily fortified after an initial incident.

The ongoing investigation into the Aflac Japan breach could reveal further details about the attack vectors, potentially pointing to shared weaknesses in identity access management or cloud configurations. The incident underscores the critical need for continuous security vigilance and robust data protection measures across all global operations of multinational corporations.

Synthesized by Vypr AI