Personal information of over 2 million Aflac life insurance and Zurich auto insurance policyholders in Japan was leaked online in a third-party data breach.
Aflac confirmed that hackers accessed 3.2 million records and potentially leaked the information of 1.3 million policyholders online. Similarly, Zurich disclosed that the personal, product, and vehicle information of 757,463 current and former customers was leaked after hackers compromised a third-party contractor.
Although the companies withheld the identity of the U.S. subcontractor involved, both data breaches could be related.
Cancer insurance policyholders exposed in the Aflac data breach
Aflac said it received information on January 9, that its customer data was circulating on the dark web after a hacker obtained the information from a U.S. contractor’s server on January 7.
According to the company, the data breach originated from a file transfer vulnerability on the third-party’s server used for marketing. The company responded by activating a response plan that complies with government regulations and internal procedures, notified Japan’s Financial Services Agency, and began an investigation with external cyber experts.
Aflac said that hackers had accessed 3.2 million records and compromised 1.3 million records of the “New Cancer Insurance” and “Super Cancer Insurance” policyholders. Data exposed include personal information, such as insurance policyholders’ last names, ages, genders, insurance type number, coverage amount and premiums.
Meanwhile, the subcontractor has deleted the data from the vulnerable server to prevent hackers from further accessing it.
Aflac will also contact each impacted customer individually to notify and guide them on available support options. However, the company believes that the possibility of hackers misusing the leaked information was “extremely low” because the breach did not involve data that could be used to identify a person.
Zurich data breach exposed auto insurance policyholders’ PII and policy information
Zurich Insurance confirmed a similar data breach that affected current and former customers of a local insurance product called “Super Automobile Insurance.”
However, the data breach did not expose the insurance policyholders’ bank account information, credit card numbers, or accident information. Additionally, the multinational Swiss insurance group disclosed that the data breach only affected insurance policyholders in Japan. Zurich’s spokesperson also added that the data breach did not compromise the company’s internal business systems.
Details leaked in the Zurich data breach include policyholders’ last names, dates of birth, genders, email addresses, policy numbers, customer IDs, vehicle names, grades, and other insurance-related information.
Unlike the Aflac data breach, Hackers could combine customers’ policy information and personal details to send compelling, targeted phishing messages to the exposed email addresses. Insurance policyholders should therefore avoid disclosing sensitive information such as credit card numbers and account passwords to individuals purporting to be Zurich’s employees and only communicate through the official channels.
Zurich reported the data breach to Japan’s regulatory bodies and would notify the affected insurance policyholders.
Interestingly, the data breach occurred days after the Zurich Insurance Group chief told the Financial Times that the frequency of cyber attacks would soon make them uninsurable.
“With breaches at Aflac and Zurich, we can see once again how third-party exposures can lead to exploits, likely through compromised credentials,” said Lior Yaari, CEO and co-founder of Grip Security. “The third party has the authority to access the Aflac and Zurich systems, likely through a simple username and password.”
Yaari warned that unguarded systems could allow threat actors to gain access without breaking in.
“Whether it’s a third-party, former employee, overly permissive grants, or dangling access on zombie accounts, the opportunity to exploit credentials and thereby gain access to sensitive information has never been more appealing.”
According to Liat Hayun, CEO of Eureka Security, “it is best to work with third-party vendors who have the same, if not better data security policies than your own organization.”