4.38 million
customers and agents whose personal information was stolen from Aflac Life Insurance Japan Ltd. in the June 2026 breach
230,000
customers whose bank premium transfer account information was directly exfiltrated — the highest-risk subset of the breach
10 days
attackers maintained undetected persistent access before a CPU load spike triggered discovery on June 25, 2026
2nd major breach
Aflac Japan has suffered major data breaches in both 2025 and 2026, reflecting persistent targeting of insurance sector identity infrastructure

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Hackers stole the names, addresses, dates of birth, insurance policy details, and bank account information of 4.38 million Aflac Japan customers in a June 2026 breach that went undetected for 10 days — and the Aflac Japan data breach was only discovered when the volume of data being exfiltrated caused a CPU overload on the company's servers. Aflac Life Insurance Japan Ltd. disclosed the incident on June 30, 2026, confirming unauthorized third-party access between June 15 and June 25, 2026.

Two distinct categories of data were exposed. The broader dataset of 4.38 million records contains personally identifiable information: full names, residential addresses, phone numbers, dates of birth, gender, security authentication details, and insurance policy and coverage specifics. Within that set, approximately 230,000 customers had their premium transfer bank account information directly exfiltrated — the debit account details used to pay insurance premiums each month. Aflac confirmed no credit card data was compromised and that U.S. Aflac operations were not affected.

The insurance sector holds data that is uniquely dangerous in attackers' hands. Unlike stolen credit card numbers, which financial institutions can cancel and replace within hours, insurance PII combines stable identity attributes — name, date of birth, address, policy number — with linked financial account data into a package built for long-term identity fraud. The 230,000 bank account records represent premium-grade dark web inventory for financial fraud, account takeover, and social engineering attacks against both the affected individuals and Aflac Japan's own customer service infrastructure. Those records are moving through dark web channels now.

How Does an Insurance Data Breach Enable Identity Fraud?

An insurance breach is structurally more dangerous than a retail breach. When an attacker steals credit card numbers, the damage is bounded: the card is canceled, a new one issued, and the fraudulent window closes within hours. Insurance data does not work this way.

The Aflac Japan data breach exposed name, address, date of birth, gender, phone number, and policy details for 4.38 million people. These attributes do not expire and cannot be replaced. A date of birth, home address, and full name combined with an insurance policy number constitutes a verified identity package. Threat actors use these packages in three primary fraud patterns: account takeover through customer service social engineering (calling the insurer to update beneficiary or payment details), synthetic identity creation (combining real PII with manufactured information to open new financial accounts), and targeted phishing (crafting personalized messages that reference accurate policy details to gain victim trust).

The 230,000 bank account records add a fourth attack vector: direct financial fraud. Premium transfer accounts are the bank accounts from which insurance premiums are automatically debited. Attackers who obtain account numbers and the associated policyholder details can initiate unauthorized ACH transfers, set up fraudulent direct debits, or present convincing impersonation claims to banking institutions.

Insurance records fetch $250 or more per complete record bundle on dark web markets according to the Privacy Affairs Dark Web Price Index, because they combine verified identity data with confirmed financial relationships. The 4.38 million records from this breach represent significant dark web inventory, and the bank account subset drives the premium valuation of the stolen dataset.

What Data Was Stolen in the Aflac Japan Breach?

Aflac Life Insurance Japan Ltd. confirmed the breach in a June 30, 2026 disclosure and in an 8-K material event filing with the U.S. Securities and Exchange Commission. An unauthorized third party accessed certain Aflac Japan systems between June 15, 2026, and June 25, 2026 — a 10-day window during which the intrusion went undetected.

The exfiltrated data falls into two tiers. The first tier covers 4.38 million customers and sales agents and includes full names, residential addresses, phone numbers, dates of birth, gender, security authentication information, insurance policy numbers, coverage details, and agency information for sales agents in the affected dataset.

The second tier, the higher-risk subset, covers approximately 230,000 customers whose insurance premium transfer bank account information was exfiltrated. Premium transfer accounts are the bank accounts customers link to their Aflac policies for automatic premium deductions. The exfiltrated records include sufficient financial account identifiers to enable unauthorized banking transactions.

Aflac stated that no credit card information was accessed in the breach. The company's U.S. systems, which operate independently from Aflac Japan, were not affected. Aflac Japan has notified the Japanese Financial Services Agency and other applicable regulators as required under Japanese law.

The detection mechanism underscores the scale of the theft: attackers exfiltrated data for 10 days without tripping a single access alert. The breach was only identified when the volume of simultaneous data reads caused a CPU performance anomaly on June 25. Systems were immediately suspended to halt exfiltration and contain the incident.

The stolen data includes policy and coverage details, personal information, and bank account information — the insurance premium transfer accounts of roughly 230,000 customers were also taken.

Aflac Inc. 8-K SEC Filing, June 30, 2026
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Scattered Spider and the Pattern of Insurance Sector Targeting

Aflac has not attributed the June 2026 breach to a specific threat actor, and the initial access method has not been publicly disclosed. The profile of the attack shares characteristics with Scattered Spider operations: persistent authenticated access maintained without triggering access control alerts, large-scale data exfiltration, and targeting of a Japan-based insurance subsidiary.

Scattered Spider is a financially motivated threat group that primarily operates through social engineering, vishing (voice phishing), and identity-based attacks rather than technical exploits. The group targets help desks and identity provider platforms, typically calling IT support personnel and impersonating employees to reset credentials or bypass multi-factor authentication. Scattered Spider was previously linked to a 2025 breach of Aflac's U.S. systems and has been attributed to incidents at Erie Insurance, Philadelphia Insurance Companies, and several major U.S. insurers over the past 18 months.

The insurance sector is structurally attractive to this type of threat actor. Insurance companies hold large volumes of verified identity data on millions of individuals, the data is centrally stored in policy management systems, and the high-volume nature of insurance operations means bulk data transfers do not immediately stand out as anomalous. Aflac Japan's 10-day dwell time with no detection until CPU load signaled the breach illustrates this vulnerability precisely.

Regardless of attribution, the attack pattern points to a clear defensive priority: organizations holding insurance records need anomaly-based detection on bulk data access from policy management and customer databases, not only alert-based detection on known-bad indicators.

What Happens to Aflac Japan Data on the Dark Web?

Insurance PII from breaches like the Aflac Japan data breach reaches dark web markets through a predictable pipeline. After exfiltration, data is staged on attacker-controlled infrastructure, assessed for completeness and quality, then packaged for sale on invite-only dark web forums, Telegram channels, or direct broker transactions. The timeline from exfiltration to dark web listing is typically two to eight weeks — meaning Aflac Japan records are entering dark web channels now if they have not already.

Insurance records with financial account data command premium prices because they enable multiple fraud types from a single purchase. The bank account subset — 230,000 premium transfer account records — is particularly valuable. Buyers can use the financial account data directly for unauthorized transfers, or combine it with the PII to approach the target's bank with convincing identity verification information.

The 4.38 million PII records are lower-value per record but high-value in aggregate. Fraud rings specializing in insurance identity fraud — filing fraudulent claims, changing beneficiary designations, applying for new policies under victims' names — pay for bulk records because policy numbers and coverage details enable credible impersonation requests to insurance company representatives.

Breach data does not exist in isolation. The <a href="/blog/24-billion-credentials-exposed-elasticsearch-dark-web">24 billion credential dump discovered in June 2026</a> demonstrates how fresh breach data aggregates with existing compiled credentials to create increasingly complete identity profiles. If you hold an Aflac Japan policy, your data from this breach may combine with previously leaked records to create a higher-resolution identity package than either breach produced alone. The <a href="/blog/dhs-hsin-breach-federal-security-intel-sharepoint-2026">DHS HSIN breach from the same period</a> confirms this is a concentrated wave of identity-focused intrusions targeting multiple sectors simultaneously — not a single isolated incident.

Indicators and Exposure Verification Steps

No external network IOCs — IP addresses, domains, or malware hashes — have been published in connection with the Aflac Japan data breach as of July 16, 2026. Aflac Japan has not disclosed the technical indicators observed during the intrusion. The only confirmed detection signal was the CPU load spike on June 25 that prompted system suspension and investigation.

For individuals affected by the Aflac Japan data breach, exposure verification follows a different model than technical IOC checking. The relevant question is not which IP address the attacker used, but whether your specific records are in circulation and how to monitor for downstream fraud.

Verify your exposure now: visit haveibeenpwned.com and enter your email address to check for confirmed dumps linked to insurance sector breaches. Request a credit report copy from each major bureau to look for accounts or inquiries you did not initiate. Contact Aflac Japan directly to confirm whether your specific policy was in the affected dataset. Review bank account statements for the account linked to your Aflac Japan premium transfer for unauthorized debits.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Sigma Detection Rules for Identity-Based Data Theft

No Sigma rules exist specific to the Aflac Japan data breach — no CVE was involved and no technical attack tool has been publicly identified. Detection for this class of attack targets the identity and authentication layer that social engineering threat groups like Scattered Spider abuse for initial access, rather than any specific exploit or malware signature.

The three rules below target Okta identity provider telemetry, the most common detection surface for social engineering-based initial access in enterprise insurance and financial environments. Deploy them against your Okta System Log if your organization uses Okta as an identity provider. These rules detect behavioral anomalies in authentication events that appear regardless of which specific threat actor is involved.

Convert each rule to your SIEM's native query syntax using sigma-cli. For Splunk, run sigma convert -t splunk rule.yml. For Microsoft Sentinel, use the microsoft365defender or azuremonitor backend. The Okta User Session Start Via Anonymising Proxy rule produces the most actionable signal when tuned against your user population's normal login geography: any session from a Tor exit node, residential proxy, or anonymizer combined with access to sensitive policy data warrants immediate review.

Subscribe to unlock Sigma Detection Rules

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Protect Your Information After the Aflac Japan Data Breach

Aflac Japan is notifying affected customers and has engaged external cybersecurity experts for the ongoing investigation. Breach notifications take weeks to arrive — the data is already exfiltrated. These steps do not require waiting for a letter from Aflac.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why the Aflac Japan Data Breach Matters for Your Organization

The Aflac Japan data breach reveals a structural detection gap that extends well beyond Aflac. An attacker who obtained authenticated access to policy management systems sustained undetected access for 10 days and exfiltrated records on 4.38 million people without tripping a single access control alert. The only detection was an incidental hardware performance indicator — CPU load from the sheer volume of data being pulled.

For organizations in financial services, insurance, healthcare, or any sector holding large verified-identity datasets, the detection model required is fundamentally different from what most security programs deploy. Alert-based detection on known-bad indicators — suspicious IPs, malware signatures, known phishing domains — does not catch an authenticated attacker conducting bulk reads from legitimate policy management systems. Volumetric anomaly detection on database query patterns, data egress volume, and access behavior relative to the authenticated user's historical baseline is the gap that needs to close.

For security professionals assessing their own exposure, the action timeline is urgent. Breach data moves from exfiltration to dark web market listing in two to eight weeks. The 230,000 bank account records are the highest-priority subset — financial institutions should already be watching for unauthorized debit attempts on accounts held by customers who match the Aflac Japan policyholder profile. Insurance companies with cross-border customer service access points should verify whether any account data accessible through those systems was touched.

The pattern across Aflac Japan's 2025 and 2026 incidents points to one conclusion: organizations that hold verified identity data at scale must treat that data with the same urgency and access controls as financial credentials. The cost of treating insurance PII as low-sensitivity data is 4.38 million exposed records — and that cost compounds with every day the data circulates in dark web channels.

The bottom line

The Aflac Japan data breach exposed names, addresses, dates of birth, insurance policy details, and bank account information for 4.38 million customers — including premium transfer bank accounts for 230,000 people — through a 10-day undetected intrusion that ended only when server CPU load spiked from the volume of data being exfiltrated. Three actions if you hold an Aflac Japan policy: freeze your credit at all three bureaus today, monitor the bank account you linked for unauthorized debits, and do not trust any communication that references your policy details to request account changes or payments. The data is exfiltrated and entering dark web channels now — the protective window is weeks, not months.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

How do I know if my Aflac account was breached?

Aflac Japan is notifying affected customers directly, but notifications take weeks to arrive. Contact Aflac Japan customer service immediately if you held a policy at any time between January and June 2026 to confirm whether your specific policy was in the affected dataset. In the meantime, treat your data as potentially compromised: freeze your credit, monitor the bank account linked to your policy, and check haveibeenpwned.com for your email address.

What data did the Aflac Japan hack expose?

The Aflac Japan hack exposed full names, residential addresses, phone numbers, dates of birth, gender, security authentication information, insurance policy numbers, and coverage details for 4.38 million customers and sales agents. A higher-risk subset of approximately 230,000 customers also had their bank premium transfer account information exfiltrated. Aflac confirmed no credit card data was compromised and U.S. Aflac operations were not affected.

Was my bank account compromised in the Aflac Japan breach?

Approximately 230,000 Aflac Japan customers had their insurance premium transfer bank account information exfiltrated. These are the bank accounts customers linked for automatic premium payment deductions. If you are an Aflac Japan policyholder, log into the bank account linked to your policy and review transactions for unauthorized debits. Contact your bank to set up real-time transaction alerts and notify them of the breach so they can flag unusual activity on your account.

Is Scattered Spider behind the Aflac Japan 2026 breach?

Aflac has not attributed the June 2026 breach to any specific threat actor and has not disclosed the initial access method. The attack pattern shares characteristics with Scattered Spider operations: social engineering-based initial access, authenticated persistent access to enterprise systems, and bulk data exfiltration targeting insurance sector PII. Scattered Spider was previously linked to a 2025 breach of Aflac's U.S. systems and has been attributed to attacks on multiple U.S. insurance companies over the past 18 months.

How does insurance PII get used for identity fraud?

Insurance PII enables at least three fraud types. Account takeover fraud: attackers call insurance company customer service using verified policy details to impersonate policyholders and request changes to beneficiaries or payment accounts. Synthetic identity fraud: attackers combine real PII with manufactured data points to open new financial accounts that pass identity verification. Targeted phishing: attackers send personalized messages referencing accurate policy details to earn victim trust before requesting sensitive information or payment.

What should I do if my insurance data was stolen in the Aflac Japan breach?

Take six actions: freeze your credit at all three bureaus (Equifax, Experian, TransUnion) to block new account fraud; monitor the bank account linked to your Aflac Japan policy for unauthorized debits; update your Aflac Japan online account password and enable multi-factor authentication; check haveibeenpwned.com for your email address; be alert for phishing messages that reference accurate policy details; and file an identity theft report with the FTC at identitytheft.gov if you detect unauthorized account activity.

Is the US Aflac business affected by the Japan breach?

No. Aflac confirmed that its U.S. business systems operate independently from Aflac Life Insurance Japan Ltd. and were not affected by the June 2026 breach. The unauthorized access was limited to certain Aflac Japan systems. U.S. Aflac policyholders do not need to take protective action based on this specific incident, though monitoring your own accounts for unrelated breach activity is always recommended.

What is the dark web value of insurance records with bank account data?

Insurance records that include verified PII combined with linked bank account data command premium prices on dark web markets because they enable multiple fraud types from a single purchase. The Privacy Affairs Dark Web Price Index documents full identity packages with financial account data at $250 or more per record. The 230,000 premium bank account records from the Aflac Japan breach represent the highest-value subset of the stolen data and are the first target for dark web buyers seeking direct financial fraud material.

Sources & references

  1. BleepingComputer: Insurance Giant Aflac Discloses Data Breach After Subsidiary Hack
  2. SecurityWeek: Aflac Japan Data Breach Impacts 4.38 Million
  3. Aflac Inc. 8-K SEC Filing: Material Cybersecurity Incident
  4. CPO Magazine: Data Breach at Aflac Japan Impacts 4.38 Million Customers and Sales Agents
  5. Security Affairs: Hackers Steal Data of 4.38 Million Aflac Japan Customers

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.