Cyber Incident Victim: Aflac
Date:
Jan 2023
Location:
Japan
Summary
A cyber incident impacted Aflac Japan through a vulnerability in a third-party marketing subcontractor's file transfer server, leading to the exposure of data belonging to approximately 1.3 million cancer insurance policyholders. Compromised information included names, ages, genders, insurance types, policy numbers, premiums, and plan details, which were subsequently posted on the dark web; the company confirmed the data's authenticity and removed it from the affected server to prevent further exposure. While Aflac stated the breach did not involve U.S. operations or personally identifiable information (PII), the disclosed data elements contradicted this assertion. A separate breach involving Zurich Insurance Japan affected over 750,000 automobile insurance customers, with stolen data encompassing names, policy numbers, emails, birthdates, and vehicle details, though both incidents were confined to Japanese customer data and attributed to unnamed third-party providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 9, 2023, Aflac Japan discovered a data breach affecting approximately 1.3 million customers holding cancer insurance policies. The incident stemmed from a vulnerability in a file transfer server managed by a subcontractor of a third-party marketing vendor. Exposed data included customer names, ages, genders, insurance types, policy numbers, premium amounts, and specific plan details. Aflac confirmed the stolen information appeared on a dark web site but emphasized the breach was limited to Japanese operations, with no U.S. customer or operational data impacted. The company removed the compromised data from the third-party server to prevent further exposure and initiated direct customer notifications through individual communications. A dedicated call center was established to address inquiries. Aflac’s investigation verified the authenticity of the leaked data through dark web analysis.
Zurich Insurance Group simultaneously reported a similar breach involving 757,463 Japanese customers of its "Super Automobile Insurance" product, attributing it to a separate third-party service provider incident. Compromised Zurich data included policyholder names, customer IDs, email addresses, dates of birth, policy numbers, and vehicle-related information. The company clarified initial reports erroneously cited 2.6 million affected individuals. Zurich confirmed no compromise of its internal systems or non-Japanese customer data. Both insurers notified Japanese regulators and authorities while commencing customer outreach. Neither organization disclosed the identity of the third-party providers or confirmed whether the breaches were related. The incidents highlighted risks associated with third-party data handling, though neither company reported evidence of internal system intrusions beyond the vendor environments.