The breach, announced on June 30 and updated on July 1, involved systems including Aflac Yorisou Net, a policyholder website used for checking contract details and carrying out account changes. The company said the intrusion was detected on June 25 after abnormal system activity and that related systems were shut down to prevent further access.
The exposed customer data includes names, dates of birth, gender, addresses, telephone numbers, policy numbers, coverage details and premium transfer account information. About 230,000 customers had premium payment account details compromised, including financial institution names, branch names, account types, account numbers and account holder names. National identification numbers and credit card information were not included in the affected data set.
Aflac Japan also said information linked to about 40,000 agencies was exposed, including representative names, agency addresses and telephone numbers. The count includes some former agencies that previously had outsourcing contracts with the insurer. No confirmed misuse of the leaked information has been identified so far, though customers have been urged to report suspicious contact or unusual account activity.
The incident has drawn a formal regulatory response. Japan’s Financial Services Agency issued a report collection order on July 1 under the Insurance Business Act and the personal information protection law, requiring the insurer to report the facts of the incident, customer response measures, root-cause analysis and steps to prevent recurrence. Police have also been notified.
The company’s initial investigation found that the first unauthorised access occurred on June 15 and that multiple attempts followed until June 25. Aflac Japan said it blocked the unauthorised access on the day it was discovered and suspended some systems as a precaution. Claims, benefit requests and customer procedures are still being accepted through call centres and other channels.
Aflac Incorporated, the US-listed parent company based in Columbus, Georgia, said the incident was limited to systems in Japan and that systems linked to its US business were not accessed. The company has engaged external cyber security specialists and said the full scope and financial impact remain under investigation.
The breach is significant because Japan is a core market for Aflac, which built much of its international franchise on cancer and medical insurance products. The company has long held a strong position in Japan’s supplemental health insurance market, supported by agency networks, financial institution partnerships and its policyholder base. Any prolonged disruption to digital policy servicing could test customer confidence at a time when insurers are pushing more account management and claims activity online.
The case also highlights the concentration of sensitive information held by life insurers. Policy records can contain identity data, family details, health-related coverage information, payment instructions and long-term contact histories. Even when credit card numbers and national identification numbers are not exposed, the combination of names, addresses, dates of birth, policy details and bank account data can support targeted phishing, impersonation attempts and social engineering.
Cyber attacks on insurers have become a sharper concern for regulators because the sector sits at the intersection of finance, healthcare and personal identity. Insurers store data that may remain useful to criminals for years, unlike passwords or card numbers that can be changed quickly. Breaches can therefore create risks that extend beyond the immediate theft of files, including fraudulent calls, fake premium requests, bogus claims assistance and attempts to trick customers into disclosing additional information.
Aflac has faced cyber scrutiny before. Its US business disclosed a separate cyber security incident in June 2025 involving unauthorised access through social engineering tactics. That incident involved potentially exposed claims, health and personal information. The company later notified affected individuals after completing a review of impacted files. The Japan breach is being treated as a separate incident, with the company stating that US systems were not accessed.
The latest case places pressure on Aflac Japan to restore affected systems without widening exposure, identify precisely which files were accessed and provide timely notices to customers and agencies. The insurer has said it will send apology and notification letters to affected customers in sequence and will issue further updates if the number of affected people or data categories changes.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.