Hackers Steal Data of 4.38 Million Aflac Japan Customers

Hackers stole data from 4.38 million Aflac Japan customers after accessing its systems for 10 days before the breach was detected.

Aflac Japan disclosed that hackers stole the personal information of 4.38 million customers and agents after gaining access to its systems between June 15 and June 25. Attackers stole data from the company policyholder portal. The exposed information includes names, addresses, phone numbers, dates of birth, gender, security details, and insurance account information. The type of exposed data varies by customer.

The company said it quickly contained the breach by suspending affected systems. The incident is limited to Aflac Japan and did not impact U.S. operations. Several customer services remain unavailable while the company continues recovery efforts.

“On June 30, 2026, Aflac Life Insurance Japan Ltd. (“Aflac Japan”), a wholly owned subsidiary of Aflac Incorporated, a Georgia corporation (the “Company”), issued a press release announcing that, on June 25, 2026, Aflac Japan discovered an unauthorized third-party had unlawfully accessed certain of Aflac Japan’s systems between June 15, 2026 and June 25, 2026.” reads the FORM 8-K filed with SEC.

The company is investigating the incident with the help of third-party cybersecurity experts.

“Although the investigation remains ongoing, Aflac Japan has determined that certain impacted files contain policy and coverage details, personal information, and bank account information.” continues the report. “Aflac Japan has notified the Japan Financial Services Agency and other relevant authorities, and intends to provide appropriate notifications to individuals affected by this incident.”

The company pointed out that the incident only impacted Japanese systems. The company said its U.S. systems were not affected or accessed by the attackers, and the full impact of the incident is still under investigation.

“It has come to our attention that our customer-only website, “Aflac Yoriso Net *1 ” (hereinafter referred to as “Yoriso Net”), and other systems were subjected to unauthorized access by a third party, resulting in the leakage of some information, including customers’ personal information. At this time, no misuse of the information related to this incident has been confirmed.” reads the press release published by the company.

Aflac Japan said the type of exposed data varies by customer and that affected individuals will receive letters explaining what information was compromised. The company added that its investigation is ongoing with the support of external cybersecurity experts and that it has notified the relevant authorities.

The company added that its investigation is ongoing with the support of external cybersecurity experts and that it has notified the relevant authorities.

The company is going to notify the impacted individuals by letter.

Aflac is among several insurance companies hit in 2025 by cyberattacks, including Allianz Life, in a wave linked to the cybercrime group Scattered Spider.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)