4.38 million records leaked in breach, Aflac to probe and prevent recurrence
Third party accessed dedicated site
Aflac Life Insurance said an unauthorized access incident led to the leak of customer information on about 4.38 million people. A third party gained access to a site for policyholders, where a large volume of information was viewed over 11 days. Bank account information was also included, and policyholders are being asked to check for any suspicious transactions.
Access traces from June 15
The company first became aware of an abnormality on June 25. On Aflac Yurisou Net, a site used to check policy details and change policyholder names, the system detected high-load conditions while processing a large volume of information. Further investigation found that a specific user had viewed an enormous number of policyholder pages, and that access had continued since June 15.
Account and agency information also leaked
The leaked information included names, addresses, phone numbers, policy numbers and coverage details. For about 230,000 people, bank account information used for premium withdrawals was also included. In addition, addresses and phone numbers for about 40,000 sales agents also leaked. The company said sensitive information such as medical history, credit card information and My Number were not included. At this stage, it has also not confirmed any case of personal information being misused by a third party.
Financial institutions also tighten vigilance
The leaked data appears to include information on policyholders whose contracts have already been canceled or who have reached maturity. Policyholder sites are currently inaccessible, and customers with concerns about suspicious contact or fraudulent transactions are being directed to the call center. If actual financial damage or other harm is confirmed, Aflac will investigate each case individually and also consider compensation.
Unauthorized withdrawals cannot be made immediately using only a bank account number, but the risk of secondary damage rises if a PIN or online banking password is leaked. On a breach involving a combination of bank account information and passwords, the Personal Information Protection Commission has said it could be considered a leak of personal data that may cause property damage. On June 30, the Financial Services Agency issued Aflac an order to submit a report under the Insurance Business Act.
Enjoyed this article? Share it with your network!