Aflac Japan Leaks Data on 4.38 Million Customers: What Policyholders Should Do, and the 'Instant Withdrawal' Myth
Aflac Japan leaked ~4.38M customers' data via unauthorized access, incl. bank accounts for ~230,000. Does that mean instant withdrawal, and what should policyholders do?
Table of contents
Aflac Japan leaked ~4.38M customers' data via unauthorized access, incl. bank accounts for ~230,000. Does that mean instant withdrawal, and what should policyholders do?
Cancer-insurance leader Aflac Life Insurance Japan announced on June 30, 2026 that an external unauthorized access had leaked the personal information of about 4.38 million customers. Of those, about 230,000 also had the bank-account information used to collect their premiums exposed. What leaked includes names, dates of birth, addresses, phone numbers, policy numbers and coverage details; per Aflac's official notice, My Number (national ID) and credit-card information are not included.
Aflac was the first company to sell cancer insurance in Japan and has more than 10 million policyholders, so many people will be anxious about "am I affected" and "is it dangerous that my account info leaked." This article first sorts out what policyholders should check now, then reads accurately β based on the official notice and government guidance β whether "leaked account info means my money will be withdrawn immediately" is actually true. Outlets including the Nikkei have reported this leak.
| Item | Details |
|---|---|
| Disclosed | June 30, 2026 |
| Affected | ~4.38M customers (~230k with account info) + ~40k agencies |
| Leaked | Name, DOB, sex, address, phone policy number, coverage, premium bank-account info, etc. |
| Not included | My Number and credit-card information |
| Cause | Unauthorized access to Aflac's own customer site, etc. (method under investigation) |
| Misuse | None confirmed at this time (official) |
*This is a still-developing case. The intrusion method and the attacker were not disclosed at publication, and Japan's Financial Services Agency issued Aflac an order to report the cause and preventive measures dated June 30.
Are you affected, and what to check now
Aflac says it will mail a letter of apology and notice to affected customers in turn. Whether such a notice reaches you is one way to know if you are affected. Since mail takes time, if you have concerns while waiting, the surest step is to check with the official contact.
- Official contact: Aflac lists a call center (0120-5555-95; weekdays 9β18, Sat 9β17). Contact it first if you notice suspicious messages or unusual account activity.
- Don't rush to act: fake emails and SMS claiming "identity verification" or "refund procedures" may circulate to exploit this. Even when a notice arrives, pause before clicking any link (see below).
- Whether you are among the ~230,000 with account info is shown in the letter. If so, checking your bankbook or app for transactions regularly gives peace of mind.
Officially, there is no confirmed case yet of the leaked data actually being misused. But "no harm right now" and "safe going forward" are different things. Staying calm and knowing how to be properly cautious is the best defense.
What leaked, and what did not
Let's be precise. Per the disclosure, what may have leaked about customers is: name, date of birth, sex, address, phone number, policy number, coverage details, and, for about 230,000 people, premium bank-account information (bank name, branch, deposit type, account number, account holder name, etc.). For agencies, representatives' names, addresses and phone numbers leaked for about 40,000 agencies.
On the other hand, Aflac clearly states that My Number and credit-card information are not included β a point you can be reassured about. Also, while "coverage details" is among the leaked items, there is no announcement that health information such as medical history or diagnosis results leaked. Because it is cancer insurance, one may imagine health data leaking, but there is no need to inflate anxiety beyond the officially stated scope. Stick to the facts.
Is "leaked account info = money withdrawn right away" true?
This is the most misunderstood point. In short, a leaked account number and holder name alone will not normally let someone withdraw your deposits. Moving money requires secret information beyond the account number: a bankbook and registered seal at the counter, a cash card and PIN at an ATM, or an online-banking ID and password. The leaked account info does not include such PINs or passwords.
Japan's Personal Information Protection Commission also states that a leak of bank-account information alone does not, by itself, immediately count as a "leak that risks financial harm." That risk rises when combined with online-banking passwords and the like. An account number is, after all, "semi-public" information you tell others to receive salary or payments, and it is printed on invoices and transfer slips β precisely because you can only pay in, it is safe to share.
The "docomo Account" unauthorized withdrawals that became a problem in 2020 did not succeed on an account number alone either. Looking at what happened then, weak identity verification on the payment-service side combined with the PIN needed to register a direct debit was exploited. Since then, multi-step checks such as SMS verification have become mandatory. "Leaked account number = instant withdrawal" is not accurate. But "therefore completely safe" is not true either β which is the real point next.
The real risk is "high-precision impersonation scams"
So what should you watch for? From an engineer's view, the truly scary part of this leak is not an on-the-spot withdrawal, but a "well-made scam" launched after some time. The attacker holds your name, address, phone and date of birth, plus the policy number and coverage details that only you and the insurer should know. When these are recited to you, it becomes far easier to believe the caller or emailer is "the real Aflac."
A typical move is to impersonate an insurer or bank with "you have a premium refund" or "we need to re-verify your account info," luring you to a fake site to enter a password or PIN. The criminals try to draw out of your own mouth the information that did not leak (PINs, online-banking passwords). Japan's National Consumer Affairs Center notes that in refund scams the criminals often already know the victim's information. The leaked data can work as material that boosts the "credibility" of impersonation, taking effect weeks to months later.
For the roughly 230,000 whose account info leaked, there is also some need for caution against secondary misuse, such as the account being abused as a receiving account for fraud. The FSA likewise says the risk of secondary harm rises when account info is combined with credentials. The key is to expect attacks that use the leaked data as an "entry point" to steal the missing secret information.
Concrete steps policyholders should take
Here are the effective precautions that government bodies commonly recommend. None of it is difficult.
- Don't enter via links in email or SMS. Access Aflac or your bank from your own saved bookmark or the official app. The Council of Anti-Phishing Japan warns that fake sites cannot be told apart from real ones by appearance.
- Suspect a scam if asked for a PIN or password. Financial institutions never ask for PINs or passwords by email or SMS (FSA).
- Watch your account. Turn on transaction and login notifications and check your statements often. Query your bank at once for any transaction you don't recognize.
- Always contact via official channels. Even if you get a suspicious call or letter, don't call the number it gives; verify via the number on your bankbook or the official site. For this case, use Aflac's call center (0120-5555-95).
Some wonder whether to change their account number, but since account info alone does not enable instant withdrawal, the caution and monitoring above are enough to start. If you are very anxious or see a suspicious transaction, decide in consultation with your bank.
Timeline
| When | Event |
|---|---|
| Jun 15, 2026 | First unauthorized access (then multiple times through the 25th) |
| Jun 25, 2026 | Access detected and blocked; related systems stopped |
| Jun 30, 2026 | Leak disclosed; reported to the FSA and police |
| Jun 30, 2026 | FSA issues a report order under the Insurance Business Act |
From the first intrusion to detection was about 10 days, with multiple accesses in between. The entry point and method are under investigation, and Aflac has not disclosed details β including whether ransomware was involved. The recovery timing of the stopped systems is also undecided; insurance-claim requests are being handled at the call center.
The scale of 4.38 million, and the recurring leaks in insurance and finance
How big is 4.38 million compared with past major domestic leaks? It is smaller than Benesse in 2014 (about 35.04 million records) or Sompo Japan revealed in 2025 (possibly up to about 17.5 million), but as a single case it is on the large side. More important is that while many large cases stopped at names and addresses, this one includes about 230,000 people's account info plus policy numbers and coverage details tied to the individual β which is exactly why it makes good material for impersonation scams.
Leaks in insurance and finance are not new. On this site we have covered the Awa Bank leak from a test environment and the Money Forward-related data leak. Leaks via subcontractors and external services also keep happening, from a large leak from an overseas service to an ISP email-information leak. The pattern is shared: the more personal data an operator holds, the wider the damage spreads when it is targeted.
Summary
Aflac's unauthorized-access incident leaked about 4.38 million customers' information (about 230,000 with account info too). What leaked includes names, addresses, policy numbers and coverage; My Number, credit-card information, and health information are not included. Even with account info leaked, deposits are not normally withdrawn from an account number and holder name alone, so there is no need for excessive fear there.
The real danger is impersonation scams and phishing that use the leaked data as "proof of authenticity." Not entering via email/SMS links, suspecting anyone who asks for a PIN or password, watching your account, and contacting only official channels β keeping these basics is the surest defense against a risk that lasts months. We will update this article once the intrusion method and cause are disclosed.
FAQ
How do I check whether I'm affected?
Aflac says it will mail a letter of apology and notice to affected customers in turn. If anxious, you can check via the official call center (0120-5555-95; weekdays 9β18, Sat 9β17). A "verification link" arriving by email or SMS may be fake, so do not take it at face value.
My account info leaked. Will my money be withdrawn right away?
Normally, no. Moving deposits requires secret information beyond the account number β a PIN, password, or a bankbook and seal β and those did not leak here. The Personal Information Protection Commission also states that a leak of account info alone does not immediately amount to a risk of financial harm. Still, since it can be scam material, keep watching your account and stay wary of suspicious contact.
Did health information or medical history leak?
"Coverage details" is among the leaked items, but there is no official announcement that health information such as medical history or diagnosis results leaked. Aflac also clearly states that My Number and credit-card information are not included.
Should I change my account number?
Since account info alone does not enable instant withdrawal, it is realistic to first enable transaction notifications, watch your statements, and stay wary of suspicious contact. If you are very anxious or actually see a suspicious transaction, decide in consultation with your bank.
Update history
- βΈJuly 1, 2026: First published (created following Aflac's June 30 official announcement, reporting, and the FSA report order). To be updated once the intrusion method and cause are disclosed.
References
- γ»Aflac Japan β Apology and notice on unauthorized access and data leak (June 30, 2026)
- γ»Nikkei β Aflac leaks info on 4.38 million customers
- γ»Nikkei β FSA issues report order to Aflac
- γ»ITmedia β Aflac unauthorized access, ~4.38M personal records leaked
- γ»ScanNetSecurity β Details of the leaked items
- γ»Personal Information Protection Commission β FAQ on bank-account information leaks
- γ»FSA β Internet banking precautions
- γ»Council of Anti-Phishing Japan β What is phishing
- γ»FSA β On unauthorized withdrawals via payment services and bank accounts (2020)

Makoto Horikawa
Backend Engineer / AWS / Django