American insurance coverage big Aflac has disclosed a brand new knowledge breach after attackers breached its Japan subsidiary’s techniques and stole private and checking account info.
Aflac (brief for American Household Life Assurance Firm) is a Fortune 500 firm and the biggest supplemental insurance coverage supplier in the USA, serving thousands and thousands of consumers within the U.S. and Japan.
In a submitting with the U.S. Securities and Trade Fee (SEC) on Monday, the corporate revealed that menace actors gained entry to Aflac Japan’s techniques earlier this month.
“On June 30, 2026, Aflac Life Insurance coverage Japan Ltd. (“Aflac Japan”), a completely owned subsidiary of Aflac Included, a Georgia company (the “Firm”), issued a press launch saying that, on June 25, 2026, Aflac Japan found an unauthorized third-party had unlawfully accessed sure of Aflac Japan’s techniques between June 15, 2026 and June 25, 2026,” the insurance coverage firm mentioned.
“Upon figuring out the illegal entry, Aflac Japan promptly took steps designed to comprise the incident and stop additional intrusion, together with suspending sure techniques. However the suspension of sure techniques, Aflac Japan continues to serve its policyholders because it responds to this incident.”
Aflac is now investigating the incident with the assistance of exterior cybersecurity specialists and has revealed that the menace actors have gained entry to some delicate info saved on the affected techniques.
The corporate has alerted Japanese authorities to the incident and can notify affected people of the information breach.
“Though the investigation stays ongoing, Aflac Japan has decided that sure impacted information comprise coverage and protection particulars, private info, and checking account info. Aflac Japan has notified the Japan Monetary Providers Company and different related authorities, and intends to offer applicable notifications to people affected by this incident.
“This incident is restricted to techniques in Japan, the Firm’s techniques associated to its U.S. enterprise weren’t accessed by the unauthorized third-party. Presently, the total scope and potential final affect on the Firm should not recognized.”
An Aflac spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier right now.
One yr in the past, Aflac disclosed one other knowledge breach amid a broader marketing campaign concentrating on insurance coverage corporations throughout the USA, saying that the attackers might have gained entry to paperwork containing delicate details about prospects, beneficiaries, staff, brokers, and different people.
Whereas Aflac did not attribute final yr’s breach to a selected menace group, the incident had all of the indicators of a Scattered Spider assault.
Scattered Spider (additionally tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra) was additionally behind breaches at Erie Insurance coverage and Philadelphia Insurance coverage Corporations (PHLY), a part of the identical wave of assaults.
They’ve additionally beforehand partnered with different ransomware operations, equivalent to Qilin, RansomHub, and DragonForce, and their record of victims contains MGM Resorts, DoorDash, Caesars, MailChimp, Twilio, Coinbase, Riot Video games, and Reddit.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remainder transfer by means of your atmosphere unseen.
The Picus whitepaper exhibits how breach and assault simulation checks your SIEM and EDR guidelines so threats cease slipping by detection.
