Between June 15 and June 25, 2026, attackers gained unauthorized access multiple times to Aflac Japan's policyholder portal, resulting in the exfiltration of personal data for approximately 4.38 million customers and agents. The compromised data includes personal identifiers and insurance-related information, with a subset of 230,000 individuals having their insurance premium transfer account information accessed. The breach was confined to Aflac Japan's systems and did not impact Aflac's US operations. Upon discovery, Aflac Japan suspended affected systems to contain the incident and engaged third-party experts to assist in the investigation. Notifications were sent to affected individuals and authorities. No credit card data was compromised. The breach's root cause and vulnerability exploited have not been disclosed.

The breach exposed sensitive personal and insurance-related information of approximately 4.38 million individuals, potentially increasing the risk of identity theft, fraud, and targeted phishing attacks. The exposure of insurance premium transfer account information for around 230,000 people could lead to financial fraud attempts. Service disruptions affected at least five Aflac Japan services, with no estimated restoration timeline provided. The breach did not impact Aflac's US business systems. No credit card information was compromised, limiting the scope of financial data exposure.

Aflac Japan has taken immediate containment measures by suspending affected systems to prevent further unauthorized access. The company is conducting an ongoing investigation supported by third-party cybersecurity experts and has notified relevant authorities. Affected customers will receive notification letters detailing the specific information exposed. No official patch or remediation details have been provided. Organizations should monitor communications from Aflac Japan for updates and follow any guidance issued. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.