ctipilot.ch

Aflac Japan subsidiary portal breach — 4.38M policyholders/agents

incident · incident:aflac-japan-portal-breach-2026

Coverage timeline
1
first 2026-07-01 → last 2026-07-01
Briefs
1
1 distinct
Sources cited
4
4 hosts
Sections touched
1
active_threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-01CTI Daily Brief — 2026-07-01
    active_threatsFirst coverage: SEC 8-K discloses ~10-day portal intrusion, 4.38M PII exposed, ~230k with bank-account data

Where this entity is cited

  • active_threats1

Source distribution

  • bleepingcomputer.com1 (25%)
  • sec.gov1 (25%)
  • securityaffairs.com1 (25%)
  • securityweek.com1 (25%)

Related entities

Items in briefs about Aflac Japan subsidiary portal breach — 4.38M policyholders/agents (1)

Aflac discloses a Japan-subsidiary breach — 4.38 million policyholders and agents, ~10-day dwell before detection

From CTI Daily Brief — 2026-07-01 · published 2026-07-01 · view item permalink →

Aflac Incorporated filed an SEC Form 8-K on 2026-06-30 disclosing that attackers held unauthorized access to Aflac Life Insurance Japan's policyholder web portal for roughly ten days (2026-06-15 to 2026-06-25) and exfiltrated personal data on approximately 4.38 million customers and agents — names, addresses, phone numbers, dates of birth, gender, authentication details and insurance-account information; a subset of roughly 230,000 individuals also had premium-transfer bank-account details exposed, and no card data was accessed (SecurityWeek, 2026-06-30 · SEC EDGAR 8-K, 2026-06-30). Aflac says the intrusion was contained to Japan-subsidiary systems with US operations unaffected, the affected systems were suspended on discovery, and Japan's Financial Services Agency was notified (BleepingComputer, 2026-06-30). No initial-access vector or actor attribution is stated in any of the disclosures; this is Aflac's second disclosed breach in roughly a year, but the prior US incident's Scattered-Spider-adjacent framing has not been extended to the Japan event.

Defender takeaway: the operationally relevant fact is the ~10-day undetected dwell inside a customer-facing portal exfiltrating bulk PII — a pattern to hunt for as sustained anomalous authenticated-session data pulls / API enumeration against public benefits, insurance or citizen-services portals, not a patchable CVE. No IOC or CVE was disclosed; treat as an access-pattern anomaly cue.