Image: Jhelmsaflac via Wikimedia Commons/PhotoMosh

Millions of Aflac, Zurich insurance customers in Japan have data leaked after breach

The Japanese customers of two large insurance companies have had their personal information leaked after the breach of a third-party service provider.

Neither company would say if the two breaches were connected, and the attacked provider has not been named. But each company released statements this week warning their customers that their information was made public. 

Aflac director of communications Jon Sullivan said they recently became aware of a “data-related incident” involving Japanese customers. 

“The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes and affected approximately 1.3 million customers,” Sullivan said. 

“The data, which did not include personally identifiable information (PII), was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers.” 

The company released a statement in Japanese on Tuesday explaining that it plans to contact each customer individually to explain the support available to them. The breach was discovered on January 9. 

In the letter, they said they looked through the dark web post and confirmed that the data is from their company. The information included names, age, gender, insurance type, insurance number, premiums and more plan information. 

All of those affected – 1,323,468 people – had three different kinds of cancer insurance policies, according to the release, which provides a number to a call center with more information. Aflac noted that it removed the information that was stolen from the third-party server so it cannot be stolen again. 

A spokesperson for Zurich Insurance Group said it is also aware that Japanese customer data has been stolen and made public – similarly attributing it to a third-party service provider.

They have contacted regulators and authorities while also beginning the process of notifying Japanese customers.  

“There is no indication that any customer data outside of Japan have been compromised, nor indication of any compromise of Zurich internal systems,” the spokesperson said. 

“Initially, it was falsely reported that 2.6 million customers were affected by the data breach. It has since been clarified that 757,463 ‘Super Automobile Insurance’ customers (a local motor insurance product) have been affected.”

The information stolen includes names, policy numbers, customer IDs, emails, dates of birth and more vehicle information. 

Lior Yaari, CEO of Grip Security, said the incident was another example of the danger major companies face when entrusting personal customer information to third-parties that often have far more lax security policies.

“Whether it’s a third-party, former employee, overly permissive grants, or dangling access on zombie accounts, the opportunity to exploit credentials and thereby gain access to sensitive information has never been more appealing, which is one of the reasons third parties and their credentials to access client systems remain top attacker targets,” Yaari said. 

Eureka Security CEO Liat Hayun said most companies are in an unenviable position because third-party vendors are often a necessary evil for companies of Aflac and Zurich’s size. 

“Who do you trust with your critical data assets? Your answer would be ‘no one,’ however, the reality is that organizations use third-party vendors to enable day-to-day operations,” Hayun explained. With that said, it is best to work with third-party vendors who have the same, if not better data security policies than your own organization to further accelerate day-to-day operations.”

The breach announcement came just days after the head of the company told Financial Times that the scale and frequency of cyberattacks were making such incidents “uninsurable.” 

In October the company settled a landmark multi-year legal battle over a food company’s $100 million claim regarding damage from the NotPetya cyberattack in 2017.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.