Aflac Just Lost Bank Account Data in Japan — Are You Next?

The timeline is tight and ugly. The intruder was inside between June 15 and June 25, 2026. Aflac Japan discovered the unauthorized access on June 25 and went public with a press release on June 30.

That is roughly a ten-day window where someone who should not have been there was moving through insurance systems holding millions of customer records.

Aflac says it moved fast once it noticed: it took containment steps, suspended certain systems, and pulled in external cybersecurity experts to investigate. Despite the suspensions, the company says Aflac Japan kept serving policyholders.

The data that matters most

Here is the line that should make you sit up. Aflac has determined that impacted files contain policy and coverage details, personal information, and bank account information.

Bank account information is the dangerous one. Stolen names and policy numbers fuel phishing. Stolen bank details fuel direct financial fraud — fake debit notices, account takeover attempts, and convincing scam calls that already know your insurer and your account.

If you are an Aflac Japan policyholder, treat any unexpected message about your policy or bank account as hostile until you have verified it through an official channel you looked up yourself.

Aflac has notified the Japan Financial Services Agency and other authorities, and says it intends to notify affected individuals directly. But notification takes time — and attackers do not wait for it.

So what does this actually mean for you?

The company is clear on one point: this incident is limited to systems in Japan. Aflac states its U.S. business systems were not accessed by the unauthorized third party.

That is genuine good news for American customers — but read the next sentence carefully. Aflac also says the full scope and potential ultimate impact are not yet known. Early breach statements almost always describe a floor, not a ceiling. The number of affected people and records tends to grow as forensics continue, not shrink.

So if you are a U.S. policyholder feeling relieved, stay relieved — but stay subscribed to the updates.

Why this keeps happening to insurers

This is not Aflac first rodeo, and that is the real story.

One year ago, Aflac disclosed a separate data breach during a broader campaign that was hammering insurance companies across the United States. At the time, the company warned that attackers may have accessed documents with sensitive information about customers, beneficiaries, employees, agents, and other individuals.

Aflac did not formally attribute that earlier incident to a named group, but it carried the fingerprints of Scattered Spider — a loose, aggressive crew known for social-engineering its way past help desks and identity systems rather than relying on exotic malware.

Insurers are a magnet for this kind of attack for a simple reason: they sit on dense piles of identity and financial data, and they run sprawling networks of subsidiaries, agents, and third parties. Every one of those connections is a door. Breach one subsidiary, as happened here with Aflac Japan, and you can reach data that the parent company spent years protecting at the core.

What to do tonight if you are an Aflac customer

You cannot un-breach a company. You can shrink your exposure. Here is a concrete checklist.

• Watch your bank account daily for now. Because account information was exposed, set up real-time transaction alerts and flag anything unfamiliar immediately.
• Assume the scammers know your insurer. Any call, text, or email referencing your Aflac policy could be built on stolen data. Do not click links or share codes. Hang up and call back using a number from your policy paperwork.
• Change passwords and turn on multi-factor authentication on your insurance portal and your email — especially if you reused a password anywhere.
• Consider a fraud alert or credit monitoring if you are in a market where that is available, and accept any monitoring Aflac offers affected customers.
• Keep the official breach notice. If you later spot fraud, that documentation matters for disputes and claims.

What happens next (24 to 72 hours)

Expect the investigation to keep unfolding in public. In the near term, watch for three things: a clearer count of how many individuals were affected, formal notification letters going out to Aflac Japan policyholders, and possible regulatory follow-up from the Japan Financial Services Agency.

If a known threat group claims the attack or leaks a data sample, the picture could shift quickly from internal investigation to active extortion — a familiar arc for breaches of this type.

The bigger lesson outlives this one incident. When a company is large enough, the weakest link is rarely its flagship system — it is a subsidiary, a vendor, or a help desk on the other side of the world. Aflac core U.S. systems held. A subsidiary in Japan did not. For attackers chasing your data, that distinction does not matter at all.

Source: BleepingComputer