Nearly 4.4 million customers of Aflac Japan may have had personal and financial information exposed after an unauthorized party accessed company systems during a ten-day window in June, the insurer disclosed in a June 30 filing with the U.S. Securities and Exchange Commission.
Aflac Japan: timeline and scope
Aflac Japan discovered the intrusion on June 25 and said the unauthorized third party had accessed certain systems between June 15 and June 25, according to the SEC filing. The company said the incident is “limited to systems in Japan” and that “the company’s systems related to its US business were not accessed by the unauthorized third-party.” Aflac also cautioned that “the full scope and potential ultimate impact on the company are not known” as the investigation remains ongoing.
Data types exposed and scale
In its disclosure Aflac Japan said investigators “have determined that certain impacted files contain policy and coverage details, personal information, and bank account information.” Local reports cited in the filing put the number of affected customers at nearly 4.4 million. Those reports also said information about the premium payment accounts of around 230,000 customers was compromised.
Service disruptions and customer handling
A statement on Aflac Japan’s website — provided via Google Translate in the disclosure — said the incident impacted the firm’s customer portal. “Please note that some systems are currently shut down to prevent the spread of unauthorized access,” it said. The notice added: “However, inquiries and procedures, including claims for insurance benefits and other payments, are being handled as usual through our call center and other channels.”
- Services reported out of action included reservations for medical check-ups and health screening.
- The firm’s AI support concierge was also listed among affected services.
Prior incidents and the possible Scattered Spider connection
Aflac Japan has not been new to data-theft incidents. The company’s disclosure notes that in 2023 Aflac Japan customers’ details were stolen and put up for sale after a third-party U.S. contractor was reportedly breached. The filing also recalls that “a year ago” the firm suffered another data breach which was claimed to be part of a wider campaign targeting U.S. insurers and thought to be the work of the Scattered Spider group.
Joshua Roback, principal security solution architect at Swimlane, commented on the June compromise and the pattern of attacks. “Large insurers are sprawling ecosystems of subsidiaries, support teams, legacy platforms and regional workflows. That gives threat actors more places to test access, reuse lessons from prior campaigns and search for the fastest path back to valuable data,” he said. “The answer is not just more alerts. Security teams need connected workflows that can turn a signal in one part of the business into action everywhere else. Agentic AI and automation can help prioritize the riskiest activity, trigger containment steps and keep remediation moving before attackers get comfortable.”
What this means for technologists, regulators, and customers
- Technologists and security teams: The company’s own description of impacted systems and Roback’s comments point to the operational challenge of protecting sprawling insurer architectures — subsidiaries, legacy platforms and regional workflows — and the need to convert isolated signals into coordinated containment and remediation actions.
- Regulators and authorities: Aflac Japan has notified “the relevant authorities,” and the parent company filed the incident with the SEC on June 30. Regulators will follow the investigation’s findings, notification steps and any evidence of misuse of the data.
- Customers: Nearly 4.4 million customers were named in reporting as impacted, and roughly 230,000 had premium payment account information involved. Aflac Japan said no misuse of the information “related to this incident has been confirmed” so far, and that routine inquiries and claims processing remain available via call centers and other channels.
The investigation in Japan is active and Aflac’s public disclosures leave a narrow set of confirmed facts: a June 15–25 period of unauthorized access, files containing policy, personal and bank account information, service disruptions to the customer portal and related systems, notification to authorities, and no confirmed misuse to date. Whether the intrusion will be tied definitively to the Scattered Spider activity previously reported against insurers — or whether the exposed data will be misused or monetized — remains to be established as the company and authorities continue their work.
Source: Infosecurity Magazine — Insurance Giant Aflac Discloses Data Breach Impacting Millions




