Jul 01, 2026 · 5 min read
Aflac Hit Twice in a Year: Japan Subsidiary Loses Bank Account Data
Attackers accessed Aflac Life Insurance Japan's systems between June 15 and June 25, 2026, stealing policy coverage details, personal information, and bank account data. The incident follows Aflac's catastrophic 2025 breach — linked to Scattered Spider — that exposed 26.5 million Americans and is now one of the largest healthcare data breaches ever recorded.
Key Takeaways
- • Aflac Life Insurance Japan disclosed unauthorized access to certain systems between June 15-25, 2026. Data stolen includes policy details, personal information, and bank account data.
- • This is Aflac's second breach in 12 months: the 2025 incident — attributed to Scattered Spider — exposed 26.5 million Americans' health and personal information.
- • Scattered Spider conducted a coordinated sweep of the US insurance industry in June 2025, hitting Aflac, Philadelphia Insurance Companies, and Erie Insurance within five days.
- • Aflac Japan has suspended affected systems, notified Japanese authorities and the Japan Financial Services Agency, and engaged external cybersecurity experts.
- • Aflac's US systems were not affected. The company's previous 2025 breach shows the exposure is primarily relevant to US Aflac policyholders from last year and Japan policyholders from this incident.
What Happened in the June 2026 Breach?
Aflac Life Insurance Japan Ltd. disclosed on June 30, 2026 that threat actors gained unauthorized access to "certain of Aflac Japan's systems" between June 15 and June 25. The company discovered the intrusion on June 25 and responded by suspending affected systems to contain the breach.
The data accessed includes three categories of information:
- Policy and coverage details — what insurance products policyholders hold and their terms
- Personal information — names, addresses, dates of birth, and related identifying data
- Bank account information — the financial account details used for premium payments or claim disbursements
Aflac has not disclosed the number of individuals affected. The company notified Japanese regulatory authorities and the Japan Financial Services Agency, and said it is working with external cybersecurity experts while continuing normal business operations.
US business systems were not accessed in this incident. However, the type of data involved — bank account details combined with personal identifiers and insurance information — creates significant exposure for Japanese policyholders.
The 2025 Breach That Hit 26.5 Million Americans
To understand the June 2026 breach in context, the 2025 incident needs to be on the table. In June 2025, Aflac was among three major US insurance companies struck within a five-day period by attackers exhibiting the hallmarks of Scattered Spider — a threat group known for sophisticated social engineering, vishing attacks, and rapid lateral movement through corporate networks.
Google Threat Intelligence Group attributed the coordinated attacks on Aflac, Philadelphia Insurance Companies (PHLY), and Erie Insurance to the same cluster of activity. By February 2026, Aflac confirmed to federal regulators that the protected health information of at least 13.9 million individuals had been exposed. That number later grew to approximately 26.5 million — making the 2025 Aflac breach one of the largest healthcare data breaches ever recorded in the United States.
The data exposed in the 2025 breach included health insurance claims information, Social Security numbers, diagnosis codes, and other protected health information. When insurance breach data reaches the market, it does not stay static — it becomes the raw material for targeted phishing campaigns that use your own health history to appear legitimate.
Why Insurance Companies Are a Persistent Target
Scattered Spider's pattern — systematically moving through an industry vertical — reflects a calculated approach to maximizing the value of stolen data. Insurance companies are uniquely attractive targets because they hold three categories of high-value information simultaneously: health records, financial data, and comprehensive personal identifiers. Few industries combine all three.
The group demonstrated this vertical-targeting approach across multiple sectors: UK retailers in early 2025 (Marks and Spencer, the Co-op, Harrods), then luxury brands (Dior, Cartier, The North Face, Adidas), then US insurance companies in June 2025. Each industry provides a different but consistent type of data that enables downstream attacks — payment card data from retailers, customer loyalty information from luxury brands, and health and financial data from insurers.
For compliance officers at insurance companies, the pattern is a direct signal: Scattered Spider does not stop after one breach in a sector. When one company in the vertical falls, adjacent companies should treat it as a warning to audit their social engineering defenses, multi factor authentication coverage, and privileged access controls — not as confirmation that the threat has moved on.
How Insurance Breach Data Fuels Spear Phishing
Bank account data and insurance policy details are not typically exploited through direct fraud in isolation. The more immediate risk is that they become inputs for highly targeted phishing — emails (or text messages) that reference your specific policy number, claim history, or bank account to appear legitimate.
A phishing email that says "Action required regarding your Aflac policy #[your actual policy number]: please verify your bank account details to continue receiving benefits" is far more convincing than generic fraud. Your email address, pulled from the breach, becomes the delivery channel. Your policy data provides the bait. Your banking information establishes urgency and specificity.
This is the compound risk of insurance breaches: the data does not enable fraud on its own, but it dramatically improves the conversion rate of phishing attacks delivered to your inbox. Tracking pixels in those phishing emails then confirm your address is active and whether you opened the message — a separate surveillance layer operating alongside the social engineering.
What Should Aflac Policyholders Do?
The June 2026 breach affects Aflac Japan policyholders primarily. The 2025 breach affected US policyholders. If you hold or have held Aflac insurance, there are concrete steps to take.
- Monitor bank accounts for unauthorized activity — If your bank account information was part of the Japan subsidiary breach, review statements carefully and set up transaction alerts if your bank offers them.
- Be skeptical of insurance-related emails and calls — Any communication referencing your Aflac policy, claim status, or account details should be verified by calling Aflac directly using the number on your policy documents — not a number provided in the suspicious message.
- Place a credit freeze — If your Social Security number or equivalent national ID was included in the 2025 US breach, a credit freeze at the major bureaus prevents new accounts from being opened in your name.
- Watch for spear phishing — Messages that reference your specific policy number, claim history, or banking details are a red flag, not a sign of legitimacy. Insurance companies experiencing breaches do not typically ask you to verify personal information via email.
- Check for breach notifications — Aflac is required to notify affected individuals. US policyholders from the 2025 breach should have received notification; Japan policyholders from the 2026 breach should expect notifications from Aflac Japan.
If you have not received notification but believe you may be affected, contact Aflac directly through their official website or listed customer service numbers. Do not click links in emails claiming to be breach notifications — verify independently first.
Aflac is not alone in learning that a secure internal network is no guarantee of privacy. A ransomware attack on a law firm working for Navient exposed student loan borrowers' Social Security numbers even though Navient's own systems were never touched, the same third party vendor risk pattern playing out across industries in 2026.