BusinessCybersecurityNewswireTechnologyWhat's Buzzing

Aflac Data Breach Exposes Millions of Customers

▼ Summary

– Aflac’s Japan subsidiary discovered a data breach on June 25, where an unauthorized third party accessed systems between June 15 and June 25.
– The breach exposed highly sensitive data, including policy details, personal information, and bank account information; US systems were not affected.
– Nearly 4.4 million customers’ personal and financial information was compromised, including premium payment accounts for around 230,000 customers.
– Some systems, including the customer portal and medical check-up reservations, are shut down, but insurance claims are still handled via call center.
– This is not Aflac Japan’s first breach; prior incidents include a 2023 contractor breach and a 2024 attack potentially linked to the Scattered Spider group.

US insurer Aflac has revealed a significant data breach that compromised highly sensitive personal and financial records after hackers infiltrated its systems. The incident, which exclusively impacted the company’s Aflac Japan subsidiary, was first detected on June 25. In a filing with the SEC on June 30, the firm stated that an unauthorized third party accessed certain systems between June 15 and June 25.

“While the investigation is still underway, Aflac Japan has confirmed that some affected files contain policy and coverage details, personal information, and bank account information,” the company disclosed. It emphasized that the breach was confined to Japanese operations, with no access to systems supporting its U. S. business. “At this point, the complete scope and potential ultimate impact on the company remain unclear.”

A notice posted on Aflac Japan’s website indicated that the attack targeted its customer portal. “Please note that some systems are currently shut down to prevent the spread of unauthorized access,” the statement read, as translated via Google Translate. “However, inquiries and procedures, including claims for insurance benefits and other payments, are being handled as usual through our call center and other channels.” Services temporarily offline include medical check-up reservations, health screening bookings, and the firm’s AI support concierge.

Local reports estimate that the breach exposed data on nearly 4.4 million customers, including premium payment account details for roughly 230,000 individuals. This marks the latest in a series of security incidents for Aflac Japan. In 2023, customer information was stolen and listed for sale after a breach at a U. S. third-party contractor. A year later, another breach occurred, reportedly part of a broader campaign targeting U. S. insurers and attributed to the Scattered Spider group.

Joshua Roback, principal security solution architect at Swimlane, suggested the latest compromise may also involve the notorious extortion group. “Large insurers are sprawling ecosystems of subsidiaries, support teams, legacy platforms and regional workflows. That gives threat actors more places to test access, reuse lessons from prior campaigns and search for the fastest path back to valuable data,” he said. “The answer is not just more alerts. Security teams need connected workflows that can turn a signal in one part of the business into action everywhere else. Agentic AI and automation can help prioritize the riskiest activity, trigger containment steps and keep remediation moving before attackers get comfortable.”

Aflac Japan has notified the relevant authorities and stated that “no misuse of the information related to this incident has been confirmed.”

(Source: Infosecurity Magazine)

Topics

data breach 98% cybersecurity incident 96% personal information exposure 94% financial information theft 92% insurance sector breach 90% scattered spider group 88% sec filing 85% system shutdown 83% third-party access 81% customer impact 79%