Red alert with skull symbol showing data breach

Data Breach at Aflac Japan Impacts 4.38 Million Customers and Sales Agents

A data breach at Aflac Life Insurance Japan has exposed the personal information of 4.38 million customers and sales agents.

The Japanese insurance giant is a subsidiary of Columbus, Georgia-based American Family Life Assurance Company (Aflac), a Fortune 500 company with tens of millions of customers and annual revenue of more than $19 billion.

The company said it initiated containment measures after detecting anomalous activity on its policyholder portal stemming from a single user account.

Aflac data breach affects 4.38 million customers

Aflac Japan learned of the cyber intrusion on June 25, 2026, after detecting data processing overload on its policyholders’ portal. It traced the suspicious activity to a single account that had accessed a vast number of customers’ profiles since June 15. However, Aflac has not clarified whether the account was hacked or an insider threat.

“The Aflac Japan incident reflects that shift. A single account traversed an extraordinary volume of customer records over 11 days, until a spike in processing load surfaced the activity,” said Takanori Nishiyama, Senior Vice President APAC and Country Manager, Japan, Keeper Security. “The lesson lies not only in how access was obtained, but in how long anomalous behavior went unobserved. Every second of undetected access compounds the potential harm, turning a contained incident into a systemic breach.”

Upon learning of the data breach, the insurance giant launched an investigation and determined that the unauthorized actor had accessed the personal information of 230,000 customers. While details leaked varied by individual, they included customer names, addresses, phone numbers, policy numbers, coverage details, and bank account information. The bad actor also accessed phone numbers and addresses of 40,000 sales agents. In total, the data breach affected 4.38 million customers. Aflac is working to notify all affected individuals with specific details regarding the data breach.

However, the data breach did not expose customer credit card details, national identification numbers, or protected health information. The insurance company also shut down the affected systems to contain the threat and prevent further unauthorized access to customer information.

“Upon identifying the unlawful access, Aflac Japan promptly took steps designed to contain the incident and prevent further intrusion, including suspending certain systems,” the insurer stated in a regulatory filing.

The shutdown disrupted at least five services, but Aflac is working to restore all the affected systems and resume normal operations after validating system integrity. However, the insurer has no expected restoration time, suggesting the disruption could last for days or even weeks. Nevertheless, Aflac says the system shutdown has not affected its customer operations.

“To prevent the spread of unauthorized access, some systems are currently suspended, but inquiries and procedures such as claims for insurance and benefits are still being handled as usual at call centers and other channels,” it wrote.

Nevertheless, Aflac continues to serve its customers while working to restore the impacted system. The insurance giant also disclosed that the data breach affected only Japan and did not affect its North American operations.

“This incident is limited to systems in Japan, the Company’s systems related to its U.S. business were not accessed by the unauthorized third-party,” said the insurance giant.

So far, Aflac has no evidence that the threat actor has misused the stolen information to commit fraud. However, it advised customers to be on the lookout and notify their financial institutions and relevant authorities of any suspicious activity. Affected customers should also confirm any communication purporting to originate from Aflac using official channels to avoid falling victim to vishing or smishing.

At the time of publication, the identity of the threat actor, whether the insurance company had received ransom demands, and the vulnerability exploited were undisclosed.

“The most common entry point for large-scale breaches today is no longer forced intrusion, but the misuse of legitimate access,” added Nishiyama. “Verizon’s 2026 Data Breach Investigations Report found that credential abuse remained the most pervasive technique overall, present in 39% of breaches across the full attack chain. Identity has quietly become the primary attack surface for organizations that hold sensitive customer data.”

Meanwhile, the insurance giant has launched an investigation with the assistance of external cybersecurity experts to determine the nature and scope of the incident and the necessary measures it will take to prevent a similar incident in the future.

Insurance companies targeted

Aflac has experienced a cyber attack in the past. In June 2025, Aflac was the victim of a Scattered Spider cyber attack that leaked the personal information of customers, insurance beneficiaries, employees, insurance agents, and other entities in the United States. The cyber attack exposed personal data, protected health information, and Social Security Numbers of over 22 million people.

In June 2025, hacking group Scattered Spider also targeted Erie Insurance and Philadelphia Insurance Companies. In August 2025, Farmers Insurance also disclosed a third-party data breach after hackers breached a vendor-managed database.