Aflac has disclosed a data breach at its Japan subsidiary that exposed sensitive customer information, including policy details and bank account data.
According to a filing with the U.S. Securities and Exchange Commission (SEC), Aflac Life Insurance Japan Ltd. discovered the unauthorized access on Jun. 25, 2026.
The company determined that attackers accessed certain systems between June 15 and June 25.
After identifying the intrusion, Aflac Japan took steps to contain the incident and prevent further unauthorized access, including suspending some systems.
Key Takeaways of the Aflac Japan Incident
- Aflac disclosed a data breach at its Japan subsidiary after attackers accessed systems containing policy information, personal data, and bank account information.
- The incident was limited to Aflac Japan, and the company said its U.S. business systems were not affected.
- The breach follows a separate 2025 cyberattack on Aflac’s U.S. operations that ultimately impacted approximately 22.65 million individuals.
Sensitive Customer Data Was Exposed
Aflac stated that the attackers accessed files containing policy and coverage details, personal information, and bank account information.
Although the company has not disclosed how many individuals were affected, the exposed data could increase the risk of financial fraud, identity theft, account takeover attempts, and targeted phishing.
The insurer is working with external cybersecurity experts to investigate the breach and determine its full scope.
Aflac Japan has also notified the Japan Financial Services Agency and other relevant authorities and plans to notify affected individuals as required.
At this time, the company said the investigation remains ongoing, and the full impact of the incident has not yet been determined.
U.S. Operations Were Not Affected
Aflac emphasized that the compromise was limited to systems in Japan and did not affect systems supporting its U.S. business.
That distinction is notable because Aflac also disclosed a separate cybersecurity incident in Jun. 2025 involving its U.S. business.
In that earlier incident, the company said it detected suspicious activity on a limited number of systems, contained the intrusion within hours, and confirmed that ransomware was not involved.
Aflac later said personal information associated with approximately 22.65 million individuals was involved in the 2025 incident.
A subsequent update reported that the protected health information of at least 13.9 million individuals had been exposed or stolen, making it one of the largest confirmed healthcare-related breaches of 2025.
Insurance Organizations Remain Attractive Targets
The two incidents appear to involve different environments, but together they underscore why insurance companies remain high-value targets for cybercriminals.
Insurers often store large volumes of sensitive information, including personal identifiers, health-related records, claims data, payment details, and banking information.
That combination of data can be used for identity theft, benefits fraud, credential attacks, social engineering, and financial scams.
Bank account details and policy information can also help attackers craft more convincing phishing messages that appear tied to real insurance activity.
How to Reduce Similar Risk
Organizations in the insurance sector continue to face persistent threats from financially motivated cybercriminals seeking access to sensitive customer and financial data.
A layered security strategy can help organizations reduce overall risk.
- Require phishing-resistant multi-factor authentication (MFA) for employees, contractors, and privileged accounts.
- Continuously monitor privileged accounts and administrative activity to quickly detect unauthorized access or suspicious behavior.
- Segment critical systems containing customer, financial, and policy data to limit lateral movement.
- Encrypt sensitive customer information in transit and at rest, and implement strict access controls so employees can access only the data required for their roles.
- Deploy EDR/XDR solutions and centralized logging to identify suspicious activity.
- Test incident response plans and use attack simulation tools with scenarios around phishing and other social engineering attacks.
These steps can help organizations reduce overall exposure and build resilience.
Bottom Line
Aflac has not attributed the Japan intrusion to a specific threat actor or disclosed how the attackers gained initial access.
However, the incident reinforces the need for insurance organizations to continuously monitor privileged access, segment sensitive systems, harden identity controls, and test incident response plans with real simulations and not just tabletops.
As organizations strengthen identity and access controls, zero trust architectures can help reduce the risk of unauthorized access and lateral movement.