AFLAC Japan announced on 30 June that attackers had accessed the personal data of 4.38 million customers after repeatedly entering the insurer’s networks beginning in mid‑June, according to a report by SecurityWeek. The intrusion was not detected until 25 June, and no systems supporting the company’s United States operations were compromised. The disclosure came in a filing with the U.S. Securities and Exchange Commission.
The stolen information includes names, addresses, telephone numbers and insurance account details for all affected individuals, with bank transfer data exposed for roughly 230 000 people. No payment card numbers or health records were mentioned in the filing. The breach did not involve any known software vulnerability, as no CVE identifiers have been linked to the incident.
Investigators say the attackers gained entry multiple times over a period of about ten days before the activity triggered alerts that led to the discovery. The exact entry vector has not been disclosed publicly, but the insurer has stated that it is now working to secure its environment and has begun notifying those whose data was taken. Aflac Japan confirmed that its US‑based systems remain isolated from the affected Japanese infrastructure.
Aflac, a Fortune 500 company and a leading provider of supplemental insurance in both the United States and Japan, disclosed the breach through an SEC Form 8‑K filing, which can be viewed at the commission’s archive here. To date, no threat actor has been claimed responsibility and there is no evidence that the stolen data has been misused in fraud or identity theft. The incident adds to a growing series of high‑profile compromises affecting large insurers in the Asia‑Pacific region.
Organisations that hold similar volumes of personal and financial data should review authentication controls, ensuring that multi‑factor authentication is enforced for all privileged and remote access points. Network segmentation can limit an attacker’s ability to move laterally once inside, while continuous monitoring of login anomalies and data exfiltration patterns helps detect intrusions early. Encrypting sensitive fields at rest and in transit reduces the value of any data that might be copied.
For the individuals whose information was exposed, security experts advise watching for unexpected communications that request additional personal details or prompt urgent financial actions, as these could be phishing attempts leveraging the breach. Considering a credit freeze or fraud alert with the major credit bureaus may also mitigate the risk of unauthorized accounts being opened in their names. Aflac Japan has said it will offer identity‑protection services to affected customers as part of its response.