Cyber Incident Victim: Aflac Life Insurance Japan
Date:
Jun 2026
Location:
Japan
Summary
Aflac Life Insurance Japan reported that hackers gained unauthorized access to its systems and exfiltrated personal information of approximately 4.38 million customers and agents, including names, addresses, phone numbers, dates of birth, gender, security details and insurance account data, while also obtaining premium transfer account information for about 230,000 individuals; no credit card data was compromised. The breach disrupted several online services, which remain unavailable as the company works to restore them, and after detecting the intrusion Aflac Japan suspended affected systems, notified regulators, and launched an investigation assisted by third‑party cybersecurity experts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2026, attackers gained unauthorized access to certain systems of Aflac Life Insurance Japan, a subsidiary of the global insurer Aflac, and continued to intrude on those systems multiple times until June 25, when the breach was detected and disclosed in a filing with the U.S. Securities and Exchange Commission. Upon identifying the unlawful entry, Aflac Japan immediately initiated containment measures, which included suspending specific affected systems to prevent further intrusion. The company emphasized that the incident was confined to its Japan‑based infrastructure and did not extend to any systems supporting its U.S. operations. Aflac Japan also stated that it had begun notifying the appropriate regulatory authorities about the breach.

The unauthorized access resulted in the exfiltration of personal data belonging to approximately 4.38 million customers and agents, a figure the company described as likely affected. The compromised information varied by individual but generally included names, addresses, telephone numbers, dates of birth, gender, security‑related details, and insurance account information. In addition, the attackers obtained the insurance premium transfer account information of roughly 230,000 individuals, while no credit‑card data were accessed according to Aflac Japan’s assessment. Because the types of exposed data differ from person to person, each affected customer will receive a personalized notification letter outlining the specific information that was compromised in their case. An FAQ published on Aflac Japan’s website noted that at least five distinct services have been disrupted as a consequence of the breach.
As of the announcement, Aflac Japan could not provide an estimate for when the disrupted services might be restored, indicating that the impact on operations remains ongoing. The company said its investigation into the attack is continuing, supported by third‑party cybersecurity experts who are assisting in analyzing the intrusion and identifying any residual risks. Aflac Japan also confirmed that it has notified the relevant authorities in accordance with legal and regulatory requirements. The SEC filing disclosed that the breach was limited to the Japanese subsidiary’s systems and does not affect the broader Aflac corporate network. No further details about the attackers’ identity, motives, or methods were provided in the available sources.
