Aflac Japan breach exposes millions of customer records

Repeat incident sharpens focus on insurer cyber risks

Aflac Japan breach exposes millions of customer records

Cyber

By Roxanne Libatique

Aflac Life Insurance Japan Ltd. disclosed on June 30, 2026, that hackers had stolen personal data belonging to 4.38 million customers and agents, according to a Form 8-K filed with the US Securities and Exchange Commission cited by Security Affairs. The disclosure marks the second time in roughly a year that a major Aflac breach has been confirmed, following a June 2025 incident at the company’s US business that exposed data on more than 22 million individuals. Together, the two events place one of the world’s largest supplemental insurers at the centre of a broader wave of attacks against the sector, and they arrive as Japan’s data protection regulator moves toward tougher enforcement powers.

A repeat target, not an isolated case

Security Affairs reported in December 2025 that Aflac had confirmed a breach detected in June 2025 affecting approximately 22.65 million individuals in the US. According to that reporting, Aflac said the incident involved names, contact details, claims and health information, and Social Security numbers, though not every data type applied to every person. Aflac stated at the time: “Based on our review of potentially impacted files, we have determined personal information associated with approximately 22.65 million individuals was involved.” The company also said it detected the intrusion within hours, that no ransomware was deployed, and that its systems stayed operational throughout. It offered two years of identity protection services to those affected, with enrolment open until April 18, 2026.

Six months after that enrolment window opened, the newer Japan-based breach followed a similar arc but through a different entry point. Per the SEC filing tied to the 2026 incident, an unauthorized party accessed Aflac Japan’s systems between June 15 and June 25, 2026, and the intrusion was not identified until the final day of that window. Security Affairs reported that the attackers entered through the company’s policyholder portal, taking names, addresses, phone numbers, dates of birth, gender, security details, and insurance account information, with the specific data exposed varying by customer. The filing states that Aflac Japan has notified Japan’s Financial Services Agency and other authorities and intends to contact affected individuals directly.

Aflac’s own investor disclosures underscore how central its Japanese operations are to the two incidents’ significance. In a March 31, 2026, announcement covering a separate reinsurance transaction with Japan Post Insurance, Aflac Incorporated stated that “in Japan, Aflac Life Insurance Japan is the leading provider of cancer and medical insurance in terms of policies in force.” That same announcement listed, among the company’s forward-looking risk factors, “uncertainty regarding the impact of the incident involving unauthorized access to the company’s network in June 2025” – an acknowledgment, in Aflac’s own words, that the earlier breach remained an open risk to the business as of the announcement's date.

Part of a sector-wide wave

Security Affairs has linked both the Aflac and Allianz Life breaches to a broader campaign against insurers tied to the cybercrime group Scattered Spider. Allianz Life disclosed in July 2025 that an attacker had used social engineering to access a third-party customer relationship management system; a notice later filed with the Maine Attorney General’s Office put the number of affected individuals at 1,497,036. Allianz Life said its core network and policy administration system were not accessed and offered two years of identity monitoring to those affected.

Separately, Security Affairs reported that Noah Urban, a 20-year-old described as a member of Scattered Spider, pleaded guilty in April 2025 to conspiracy, wire fraud, and identity theft charges in federal cases in Florida and California, and agreed to pay approximately US$13 million in restitution. Scattered Spider and related networks have been tied by Security Affairs to intrusions at multiple companies over recent years, frequently relying on social engineering and phishing rather than technical exploits to gain initial access.

Regional data points to a structural problem

INTERPOL’s 2025/2026 Asia and South Pacific Cyberthreat Assessment, published June 17, 2026, adds scale to the pattern. The report found that cybercrime accounts for more than 30% of all recorded crime in more than half of the countries it surveyed, that phishing was the region’s most damaging cybercrime technique, and that system intrusions caused roughly 80% of data breaches recorded in 2024, with malware present in 83% of cases and ransomware in 51%. Ransomware-related attacks in the region topped 135,000 in 2024, and denial-of-service attacks rose 92% year over year. Neal Jetton, INTERPOL’s cybercrime director, said in the report: “The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models and sophisticated social engineering techniques on an industrial scale.”

A regulatory framework in flux

Under Japan’s Act on the Protection of Personal Information, businesses handling personal data must report to the Personal Information Protection Commission and notify affected individuals when a breach involves sensitive personal information, carries a risk of financial harm, appears to result from an unlawful or malicious act, or affects more than 1,000 people. The law, administered by the PPC, sets a preliminary reporting window of three to five days from recognition of a breach, with a final report due within 30 days, or 60 days if the breach is believed to involve malicious intent.

The framework itself is under revision. The PPC decided on January 9, 2026, on a system reform policy under its triennial review of the law that would authorize the commission to impose administrative monetary penalties tied to the pecuniary benefit obtained through large-scale, economically motivated violations that significantly infringe on individuals’ rights and interests. According to the PPC’s published outline, the amendment bill is expected to be submitted to the Diet as early as spring 2026 and, if approved, would take effect roughly two years later.

For insurers, the combination of the Aflac and Allianz Life incidents, Aflac’s own acknowledgment that its 2025 breach remains an unresolved risk factor, and a Japanese regulator moving toward stronger penalties raises a question that extends past either company: whether customer-facing portals and third-party vendor systems, rather than core policy administration platforms, have become the primary point of failure across the industry – and whether insurers’ current incident-response and disclosure practices will hold up as regulatory scrutiny intensifies.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!