Aflac (AFL) reports Japan-only cyber breach exposing policyholder and bank data
Filing Impact
Filing Sentiment
Form Type
8-K
Rhea-AI Filing Summary
Aflac Incorporated reported that its wholly owned subsidiary, Aflac Life Insurance Japan Ltd., discovered on June 25, 2026 that an unauthorized third-party had unlawfully accessed certain Aflac Japan systems between June 15 and June 25, 2026. After detecting the breach, Aflac Japan suspended certain systems to contain the incident but continues serving policyholders.
The company has begun an investigation, engaged external cybersecurity experts, and determined that some affected files include policy and coverage details, personal data, and bank account information. Aflac Japan has notified the Japan Financial Services Agency and other authorities and plans to notify impacted individuals. The incident is limited to systems in Japan, and U.S. business systems were not accessed. The full scope and potential impact have not yet been determined.
Positive
- None.
Negative
- None.
Insights
Aflac reports a Japan-only cyber breach with sensitive data exposure and unresolved impact.
Aflac Japan identified unauthorized access to certain systems over a 10-day period in June 2026. The company reports exposure of policy and coverage details, personal information, and bank account data, which raises potential customer, regulatory, and financial implications.
The incident is currently confined to systems in Japan, with U.S. business systems not accessed, which limits immediate geographic spread of operational risk. Aflac has engaged third-party cybersecurity experts, notified the Japan Financial Services Agency and other authorities, and plans notifications to affected individuals, aligning with regulatory expectations.
Actual financial, legal, and reputational impact depends on the ongoing investigation, potential regulatory inquiries or enforcement actions, litigation, contract disputes, or loss of business described in the company’s own cautionary language. Future company disclosures will clarify the scope of data compromised and associated costs as the investigation progresses.
8-K Event Classification
Item 8.01 — Other Events
1 item
Item 8.01
Other Events
Other
Voluntary disclosure of events the company deems important to shareholders but not covered by other items.
Key Figures
Breach access window: June 15–25, 2026
Breach discovery date: June 25, 2026
8-K event date: June 30, 2026
+1 more
4 metrics
Breach access window
June 15–25, 2026
Period when an unauthorized third-party accessed certain Aflac Japan systems
Breach discovery date
June 25, 2026
Date Aflac Japan discovered the unlawful system access
8-K event date
June 30, 2026
Date referenced for Aflac’s current report on the incident
Data types impacted
Policy details, personal information, bank account information
Types of information contained in certain impacted files
Key Terms
unauthorized third-party, personal information, bank account information, Japan Financial Services Agency, +1 more
5 terms
unauthorized third-party technical
"Aflac Japan discovered an unauthorized third-party had unlawfully accessed certain of Aflac Japan’s systems"
personal information financial
"impacted files contain policy and coverage details, personal information, and bank account information"
bank account information financial
"impacted files contain policy and coverage details, personal information, and bank account information"
Japan Financial Services Agency regulatory
"Aflac Japan has notified the Japan Financial Services Agency and other relevant authorities"
forward-looking statements regulatory
"Forward-looking statements are not based on historical information and relate to future operations"
Forward-looking statements are predictions or plans that companies share about what they expect to happen in the future, like estimating sales or profits. They matter because they help investors understand a company's outlook, but since they are based on guesses and assumptions, they can sometimes be wrong.
UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 8-K
CURRENT REPORT
Pursuant to Section 13 or 15(d) of The Securities Exchange Act of 1934
Date of Report (Date of earliest event reported) June 30, 2026
_________________________________________________________________________________________________________________________________________________________
(Exact name of registrant as specified in its charter)
| (State or other jurisdiction | (Commission | (IRS Employer | ||||||||||||
| of incorporation) | File Number) | Identification No.) | ||||||||||||
| (Address of principal executive offices) | (Zip Code) | |||||||||||||
_________________________________________________________________________________________________________________________________________________________
(Registrant’s telephone number, including area code)
_________________________________________________________________________________________________________________________________________________________
(Former name or former address, if changed since last report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
| Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) | ||||||||
| Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12) | ||||||||
| Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b)) | ||||||||
| Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c)) | ||||||||
Securities registered pursuant to Section 12(b) of the Act:
| Title of each class | Trading Symbol(s) | Name of each exchange on which registered | ||||||||||||
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company ☐
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ¨
Item 8.01 Other Events.
On June 30, 2026, Aflac Life Insurance Japan Ltd. (“Aflac Japan”), a wholly owned subsidiary of Aflac Incorporated, a Georgia corporation (the “Company”), issued a press release announcing that, on June 25, 2026, Aflac Japan discovered an unauthorized third-party had unlawfully accessed certain of Aflac Japan’s systems between June 15, 2026 and June 25, 2026. Upon identifying the unlawful access, Aflac Japan promptly took steps designed to contain the incident and prevent further intrusion, including suspending certain systems. Notwithstanding the suspension of certain systems, Aflac Japan continues to serve its policyholders as it responds to this incident.
Aflac Japan has launched an investigation into the matter, which remains ongoing, and the Company has engaged third-party cybersecurity experts to support Aflac Japan’s response to the incident.
Although the investigation remains ongoing, Aflac Japan has determined that certain impacted files contain policy and coverage details, personal information, and bank account information. Aflac Japan has notified the Japan Financial Services Agency and other relevant authorities, and intends to provide appropriate notifications to individuals affected by this incident.
This incident is limited to systems in Japan, the Company’s systems related to its U.S. business were not accessed by the unauthorized third-party. At this time, the full scope and potential ultimate impact on the Company are not known.
FORWARD-LOOKING INFORMATION
The Private Securities Litigation Reform Act of 1995 provides a “safe harbor” to encourage companies to provide prospective information, so long as those informational statements are identified as forward-looking and are accompanied by meaningful cautionary statements identifying important factors that could cause actual results to differ materially from those included in the forward-looking statements. The company desires to take advantage of these provisions. This document contains cautionary statements identifying important factors that could cause actual results to differ materially from those projected herein, and in any other statements made by company officials in communications with the financial community and contained in documents filed with the Securities and Exchange Commission (SEC). Forward-looking statements are not based on historical information and relate to future operations, strategies, financial results or other developments. Furthermore, forward-looking information is subject to numerous assumptions, risks and uncertainties. In particular, statements containing words such as “expect,” “anticipate,” “believe,” “goal,” “objective,” “may,” “should,” “estimate,” “intends,” “projects,” “will,” “assumes,” “potential,” “target,” "outlook" or similar words as well as specific projections of future results, generally qualify as forward-looking. Factors that could cause actual results to differ materially from those expressed or implied include the Company’s discovery of additional information related to the incident, legal, reputational, and financial risks resulting from the incident, any potential regulatory inquiries, enforcement actions and/or litigation to which the Company may become subject in connection with the incident, any contract terminations, disputes or loss of business, and other additional costs that may be incurred by the Company in connection with the incident. Aflac undertakes no obligation to update such forward-looking statements.
1
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
| Aflac Incorporated | ||||||||
| June 30, 2026 | /s/ Robin L. Blackmon | |||||||
| (Robin L. Blackmon) | ||||||||
| Senior Vice President, Financial Services | ||||||||
| Chief Accounting Officer | ||||||||
2
FAQ
What cyber incident did Aflac (AFL) disclose in Japan?
Aflac disclosed that Aflac Life Insurance Japan Ltd. detected unlawful access to certain systems between June 15 and June 25, 2026. An unauthorized third-party accessed files containing policy details, personal information, and bank account data, triggering an internal investigation and regulatory notifications.
Are Aflac (AFL) U.S. business systems affected by the Japan cyber incident?
The company states the incident is limited to systems in Japan and that systems related to Aflac’s U.S. business were not accessed. The breach involves Aflac Life Insurance Japan Ltd. only, helping geographically contain immediate operational impact to the Japanese subsidiary.
What customer information was exposed in the Aflac Japan cyber breach?
Aflac Japan reports that certain impacted files contain policy and coverage details, personal information, and bank account information. The company plans to provide appropriate notifications to affected individuals, in addition to working with cybersecurity experts and relevant Japanese authorities on its response.
How is Aflac (AFL) responding operationally to the Japan cyberattack?
Upon discovering the unlawful access, Aflac Japan suspended certain systems to contain the incident and prevent further intrusion, while continuing to serve policyholders. The company has launched an investigation and hired third-party cybersecurity experts to support remediation and assess the full scope of the breach.
What potential risks does Aflac highlight from the Japan cyber incident?
Aflac notes potential legal, reputational, and financial risks, as well as possible regulatory inquiries, enforcement actions, litigation, contract terminations, disputes, loss of business, and additional costs. The company emphasizes that the full scope and ultimate impact are not yet known as the investigation continues.
When did Aflac Japan discover the cyber breach and over what period did it occur?
Aflac Japan discovered the breach on June 25, 2026. The company reports that an unauthorized third-party unlawfully accessed certain systems between June 15, 2026 and June 25, 2026, indicating roughly a 10-day window of unauthorized access before detection and containment steps were taken.