Aflac Life Insurance Japan Ltd. has officially disclosed a major cyberattack that resulted in the unauthorized access and leakage of personal and financial information belonging to approximately 4.38 million customers and agents.
The breach, which targeted the insurer’s dedicated policyholder portal and underlying information processing units, exposes millions to heightened risks of identity theft, financial fraud, and highly coordinated phishing campaigns.
Chronology of the Breach
According to regulatory filings with the U.S. Securities and Exchange Commission (SEC) and reports provided to Japan’s Financial Services Agency (FSA), the cybercriminals maintained persistent, undetected access to Aflac Japan’s infrastructure for over a week.
The unauthorized third party successfully bypasses perimeter defenses, infiltrating the primary policyholder web portal, “Aflac Yorisou Net,” and accessing back-end files.
Over a 10-day period, the attackers make multiple, repeated intrusions to quietly extract sensitive records belonging to millions of clients and roughly 40,000 associated agencies.
Aflac Japan’s IT security teams flag a massive, unusual spike in system load. A high central processing unit (CPU) utilization alert triggers an internal forensic sweep, revealing the ongoing breach.
Security teams block the attack vectors and intentionally shut down the customer portal and at least five secondary digital services to halt further data leakage.
Aflac Japan formally issues apologies to its customer base and submits required legal disclosures to Japanese police, the Financial Services Agency, and international regulators.
What Data Was Stolen?
The extent of the exposed data varies depending on the individual, but it broadly encompasses highly sensitive personal and structural financial data.
While Aflac has verified that no credit card numbers were compromised, the breakdown of the stolen information remains extensive:
Identity Details: Full names, dates of birth, gender, home addresses, and telephone numbers.
Policy Analytics: Policy numbers, exact insurance coverage details, and individual agent designations.
Banking Credentials: For approximately 230,000 affected customers, explicit insurance premium automatic transfer data was exposed. This includes financial institution names, specific branch codes, account types, bank account numbers, and the registered account holder’s name.
Agency Information: Operational data on roughly 40,000 partner agencies, containing names, corporate addresses, and telephone numbers of agency representatives.
Industry Context: This incident follows a staggering June 2025 cyberattack targeting Aflac’s U.S. operations, which compromised the personal and medical data of over 22 million individuals. Security analysts note that large supplementary insurers remain prime targets for extortion groups like Scattered Spider due to the incredibly high concentrations of long-term personal, medical, and financial data they retain.
Immediate Steps for Aflac Japan Policyholders
Aflac Japan has stated that no fraudulent usage of the data has been verified yet, but they are notifying impacted individuals in stages. If you are a policyholder or partner agent, the following mitigation steps are strongly recommended:
Monitor Banking Activity: Closely audit all bank statements for unexpected micro-transactions or unauthorized automated clearing house (ACH) withdrawals.
Deploy Fraud Alerts: Contact your banking institution to enable real-time transaction alerts for any activity originating from your premium transfer accounts.
Exercise Extreme Phishing Caution: Expect a localized surge in social engineering. Scammers frequently use leaked policy numbers and specific insurance data to craft hyper-believable phishing emails, phone calls, or SMS messages posing as official Aflac representatives. Never click embedded links or provide security credentials over unsolicited communications.
Aflac Japan is currently collaborating with third-party digital forensics firms to evaluate structural changes to its web portal security before slowly restoring its offline applications.