US insurer Aflac has disclosed a major data breach after hackers managed to access highly sensitive personal and financial information.
The company’s Aflac Japan subsidiary discovered the intrusion on June 25, it said in a filing with the SEC yesterday (June 30). It explained that an “unauthorized third party” had accessed certain systems between June 15 and June 25.
“Although the investigation remains ongoing, Aflac Japan has determined that certain impacted files contain policy and coverage details, personal information, and bank account information,” it revealed.
“This incident is limited to systems in Japan, the company’s systems related to its US business were not accessed by the unauthorized third-party. At this time, the full scope and potential ultimate impact on the company are not known.”
A statement posted on Aflac Japan’s website revealed that the incident impacted the firm’s customer portal.
“Please note that some systems are currently shut down to prevent the spread of unauthorized access,” it said (via Google Translate). “However, inquiries and procedures, including claims for insurance benefits and other payments, are being handled as usual through our call center and other channels.”
Among the services currently out of action are reservations for medical check-ups and health screening, and the firm’s AI support concierge.
According to local reports, personal and financial information on nearly 4.4 million customers has been compromised. This includes information about the premium payment accounts of around 230,000 customers.
Another Scattered Spider Attack?
This isn’t the first time Aflac Japan has suffered at the hands of threat actors.
In 2023, Aflac Japan customers’ details were stolen and put up for sale after a third-party US contractor was reportedly breached.
A year ago, the firm suffered another data breach which was claimed to be part of a wider campaign targeting US insurers thought to be the work of the Scattered Spider group.
Joshua Roback, principal security solution architect at Swimlane, said the latest compromise could also be linked to the notorious extortion group.
“Large insurers are sprawling ecosystems of subsidiaries, support teams, legacy platforms and regional workflows. That gives threat actors more places to test access, reuse lessons from prior campaigns and search for the fastest path back to valuable data,” he said.
“The answer is not just more alerts. Security teams need connected workflows that can turn a signal in one part of the business into action everywhere else. Agentic AI and automation can help prioritize the riskiest activity, trigger containment steps and keep remediation moving before attackers get comfortable.”
Aflac Japan has notified the relevant authorities and claimed that “no misuse of the information related to this incident has been confirmed.”
Image credit: yu_photo / Shutterstock.com
