ProBackend
ransomware data breaches
2 hours ago4 min read

Aflac’s Japan Breach Exposed 4.38 Million Customers — And It’s Not the First Time

Aflac Japan’s systems were breached between June 15–25, 2026, exposing personal and bank data for over four million policyholders — a chilling repeat of last year’s incident.

Aflac Japan Was Hacked Again — And This Time, It’s Personal

I’ve covered enough healthcare breaches to know when a company’s response smells like damage control. Aflac’s statement? Classic. "We discovered the breach on June 25. We’re investigating. We’ve notified authorities."

But here’s what they didn’t say: this isn’t the first time.

Last year, Aflac disclosed a similar breach — same playbook, same silence, same vague assurances. Back then, we assumed it was a fluke. A one-off. A glitch in the machine.

Turns out, the machine’s broken.

This time, attackers didn’t just skim metadata. They walked right into Aflac Japan’s systems between June 15 and June 25, 2026, and pulled the full dossier on 4.38 million customers: names, addresses, policy numbers, and — here’s the kicker — bank account details. Not just routing numbers. Full account numbers. The kind of data that lets someone drain a life savings before the victim even knows their policy expired.

And Aflac? They’re still operating. Still taking payments. Still mailing out checks.

I don’t know how they’re doing it. I don’t know if the systems they’re using now are air-gapped, or if they’re just hoping no one notices the hole. But I do know this: if your insurer can’t lock down its own servers, why should you trust them with your medical history?

Aflac’s U.S. operations were untouched. That’s not luck. That’s negligence with a geography lesson.

The breach was isolated to Japan. That means the security team in Georgia didn’t bother asking: "What’s going on over there?" They assumed compliance was handled. That the local team had the budget. The training. The tools.

But we know better now.

Last year’s breach — the one they barely mentioned — was linked to Scattered Spider, the same crew that hit MGM, Caesars, and Reddit. That group doesn’t pick random targets. They hunt for the quiet ones. The ones with weak local controls. The ones who think "we’re too small to be noticed."

Aflac Japan? A $4 billion subsidiary. A major insurer in a country with some of the strictest data laws on earth. And yet, they got hit twice in 12 months.

That’s not a vulnerability. That’s a culture.

They’re Still Not Telling You What Was Stolen — Or Who’s Behind It

Here’s what’s missing from Aflac’s press release: attribution.

They won’t say who did it. Not even a hint.

But BleepingComputer’s report — the only source we have — links this to Scattered Spider. Why? Because the timing matches. The targets match. The data types match. And because last year’s breach? Same fingerprints.

And yet, Aflac won’t confirm. Why? Maybe they’re waiting for the FBI. Maybe they’re afraid of panic. Maybe they’re still negotiating with the attackers.

Here’s what I think: they’re protecting their stock price.

Because if you admit Scattered Spider hit you again, you admit you didn’t fix anything. And if you didn’t fix anything — why should anyone believe you’ll fix it next time?

What Happens Now? Nothing. Probably.

Aflac says they’ll notify affected customers. That’s the script. But let’s be honest: how many of those 4.38 million people will ever get a letter? A call? A credit monitor?

In Japan, data breach notification laws are strict. But enforcement? Weak. And Aflac Japan has a history of dragging its feet.

I’ve seen this movie before. A breach. A press release. A website update. Then silence.

Six months later, someone’s identity is stolen. Their bank account is drained. They call the insurer. They’re told: "We’re sorry. We don’t track individual notifications."

That’s not a failure of technology. That’s a failure of ethics.

The Real Question Isn’t How — It’s Why

Why does Aflac keep getting hacked?

Is it because they’re cheap? Because they outsource security to third parties who don’t speak English? Because they think compliance = security?

I don’t know.

But I do know this: if you’re a policyholder in Japan, you’re not just buying insurance. You’re betting your personal data on a company that’s proven it can’t protect it.

And if you’re in the U.S.? Don’t assume you’re safe.

Aflac’s U.S. systems weren’t breached this time. But last year? They were.

And if the same group hit them twice — once in the U.S., once in Japan — then the next time? They’ll hit both.

This isn’t a headline. It’s a warning.

And if you’re still trusting Aflac with your bank details? You’re not just careless.

You’re lucky.


Source: Aflac discloses data breach after subsidiary hack

Aflac Japan Was Hacked Again — And This Time, It’s Personal

More blogs