Home · Briefs · CTI Daily Brief — 2026-07-01
Aflac discloses a Japan-subsidiary breach — 4.38 million policyholders and agents, ~10-day dwell before detection
From CTI Daily Brief — 2026-07-01 · published 2026-07-01
Aflac Incorporated filed an SEC Form 8-K on 2026-06-30 disclosing that attackers held unauthorized access to Aflac Life Insurance Japan's policyholder web portal for roughly ten days (2026-06-15 to 2026-06-25) and exfiltrated personal data on approximately 4.38 million customers and agents — names, addresses, phone numbers, dates of birth, gender, authentication details and insurance-account information; a subset of roughly 230,000 individuals also had premium-transfer bank-account details exposed, and no card data was accessed (SecurityWeek, 2026-06-30 · SEC EDGAR 8-K, 2026-06-30). Aflac says the intrusion was contained to Japan-subsidiary systems with US operations unaffected, the affected systems were suspended on discovery, and Japan's Financial Services Agency was notified (BleepingComputer, 2026-06-30). No initial-access vector or actor attribution is stated in any of the disclosures; this is Aflac's second disclosed breach in roughly a year, but the prior US incident's Scattered-Spider-adjacent framing has not been extended to the Japan event.