American insurance giant Aflac has disclosed a new data breach after attackers breached its Japan subsidiary’s systems and stole personal and bank account information.
Aflac (short for American Family Life Assurance Company) is a Fortune 500 company and the largest supplemental insurance provider in the United States, serving millions of customers in the U.S. and Japan.
In a filing with the U.S. Securities and Exchange Commission (SEC) on Monday, the company revealed that threat actors gained access to Aflac Japan’s systems earlier this month.
“On June 30, 2026, Aflac Life Insurance Japan Ltd. (“Aflac Japan”), a wholly owned subsidiary of Aflac Incorporated, a Georgia corporation (the “Company”), issued a press release announcing that, on June 25, 2026, Aflac Japan discovered an unauthorized third-party had unlawfully accessed certain of Aflac Japan’s systems between June 15, 2026 and June 25, 2026,” the insurance company said.
“Upon identifying the unlawful access, Aflac Japan promptly took steps designed to contain the incident and prevent further intrusion, including suspending certain systems. Notwithstanding the suspension of certain systems, Aflac Japan continues to serve its policyholders as it responds to this incident.”
Aflac is now investigating the incident with the help of external cybersecurity experts and has revealed that the threat actors have gained access to some sensitive information stored on the affected systems.
The company has alerted Japanese authorities to the incident and will notify affected individuals of the data breach.
“Although the investigation remains ongoing, Aflac Japan has determined that certain impacted files contain policy and coverage details, personal information, and bank account information. Aflac Japan has notified the Japan Financial Services Agency and other relevant authorities, and intends to provide appropriate notifications to individuals affected by this incident.
“This incident is limited to systems in Japan, the Company’s systems related to its U.S. business were not accessed by the unauthorized third-party. At this time, the full scope and potential ultimate impact on the Company are not known.”
An Aflac spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
One year ago, Aflac disclosed another data breach amid a broader campaign targeting insurance companies across the United States, saying that the attackers may have gained access to documents containing sensitive information about customers, beneficiaries, employees, agents, and other individuals.
While Aflac didn’t attribute last year’s breach to a specific threat group, the incident had all the signs of a Scattered Spider attack.
Scattered Spider (also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) was also behind breaches at Erie Insurance and Philadelphia Insurance Companies (PHLY), part of the same wave of attacks.
They’ve also previously partnered with other ransomware operations, such as Qilin, RansomHub, and DragonForce, and their list of victims includes MGM Resorts, DoorDash, Caesars, MailChimp, Twilio, Coinbase, Riot Games, and Reddit.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
