Aflac is having the kind of year no insurer wants. The supplemental-insurance giant has disclosed that attackers breached its Japan subsidiary and accessed the personal and financial information of 4.38 million policyholders — the company’s second hacking incident to affect millions of people in under a year. Counting both events, HIPAA Journal now places Aflac’s cumulative exposure at more than 13.9 million individuals.
The intrusion hit Aflac Japan’s policyholder portal, which attackers accessed between June 15 and June 25, 2026. The exposed data reportedly includes policyholder personal details and premium payment account information — bank-account data tied to how customers pay their premiums. For an insurer whose entire value proposition rests on being the party you trust in a crisis, a second breach in a single year is a reputational problem as much as a security one.
What Was Taken
Aflac has characterized the compromised data as covering policyholder information and premium payment account details for its Japanese customers. The ten-day access window — June 15 to June 25 — suggests attackers had persistent, undetected entry to the portal for more than a week before the activity was identified and cut off.
Bank-account and premium-payment data is precisely the material that fuels downstream fraud: direct-debit manipulation, targeted phishing that references real policy details, and account-takeover attempts against customers who reuse credentials. Unlike a leaked marketing list, this is financially actionable information about people who, by definition, have money moving on a recurring schedule.
The Context: This Isn’t Aflac’s First Breach
The reason this lands harder is the pattern. In mid-2025, Aflac’s U.S. operations were caught in the Scattered Spider campaign that pivoted aggressively into the insurance sector — a social-engineering wave that hit multiple carriers through help-desk manipulation and vishing. That incident later ballooned to an estimated 22.65 million people as the true scope came into focus.
The Japan breach appears to be a separate incident against a different subsidiary and infrastructure — not a continuation of the Scattered Spider campaign — which is arguably worse news for Aflac. Two distinct intrusions, on two continents, in under twelve months, points to systemic exposure rather than a single unlucky day. When a company gets breached twice by different means, the question shifts from “who attacked us” to “why does our attack surface keep failing.”
A Familiar Notification Rhythm
The disclosure follows the now-standard cadence of large breach notifications: an initial figure that quantifies the confirmed exposure, with the acknowledgment that scope may expand as forensics continue. Breached readers have watched this movie repeatedly in 2026 — the Conduent breach that climbed to 62 million and the TriWest/TRICARE West compromise of military beneficiaries both started with a number and grew.
For Aflac Japan’s 4.38 million affected customers, the practical guidance is unchanged and unglamorous: watch premium-payment and bank accounts for unauthorized activity, treat any “Aflac” communication referencing your specific policy with suspicion, and change any password reused between the portal and other accounts. The data that leaked is the data fraudsters use to sound legitimate.
The Bigger Picture for Insurers
Insurance carriers have become a preferred target for a simple reason: they aggregate exactly the data attackers want — identity, health, and financial details — under one roof, and they hold it for the length of a policy, often decades. Aflac’s back-to-back breaches are a case study in why the sector keeps appearing in these headlines. The portals that let customers manage policies are internet-facing, credential-protected, and packed with monetizable data — a combination that rewards patient attackers and punishes any lapse in monitoring.
Aflac’s investigation is ongoing, and the 4.38 million figure should be read as a floor rather than a ceiling. What is already clear is that “second breach in a year” is a phrase no insurer survives without lasting damage to customer trust — the one asset an insurance company cannot afford to underwrite away.
Sources
- SecurityWeek — Aflac Japan Data Breach Impacts 4.38 Million
- BleepingComputer — Insurance giant Aflac discloses data breach after subsidiary hack
- GovInfoSecurity — Aflac Japan: Hack Detected Last Week Affects Nearly 4.4M
- HIPAA Journal — Aflac Data Breach: PHI of At Least 13.9 Million Individuals Compromised
- Insurance Business — Aflac Japan breach exposes millions of customer records

