Finance & Banking , Healthcare , Incident & Breach Response

Aflac, Zurich Policyholders in Japan Affected by Data Leaks

Subcontractor Server Hacked in Both Incidents; Data of Millions Compromised
Aflac, Zurich Policyholders in Japan Affected by Data Leaks
Street scene in Japan (Image: Djedj/Pixabay)

Personal information for more than 1.3 million Aflac cancer insurance policyholders and almost 760,000 Zurich Insurance auto insurance policyholders is on the dark web following a hack on a third-party contractor.

See Also: Live Webinar | Navigating the Difficulties of Patching OT

Neither company named the data leak site or third-party vendor involved with its breaches, so it is unclear if the incidents are related. Affected individuals from both hacks reside in Japan.

In an apology published Tuesday, Aflac's Japanese unit says it confirmed information it received on Jan. 9 about customer information being posted onto a criminal data breach forum. A hacker took the data from a server used by an external outsourced contractor, Aflac says.

Personal information leaked include policyholders' last name, age, gender, insurance type number, coverage amount and premiums.

Aflac says its data leak incident involved a U.S.-based subcontractor.

A total of nearly 3.2 million records were accessed in the incident. More than 1.3 million customers enrolled in the company's "new cancer insurance" and "super cancer insurance" policies were affected by the breach, Aflac says.

"Since it is not possible to identify [affected individuals] personally with only the above personal information items leaked to the information leakage site, we believe that the possibility that the leaked information will be misused by a third party is extremely low," Aflac says in its Japanese notice to affected customers.

Aflac says it has reported the incident to Japan's Financial Services Agency and other relevant organizations and will continue to investigate the incident in cooperation with external experts.

"In addition, the external company that was the source of the leak has already deleted the customer's information from the server they are using, and we are taking measures to prevent further information leaks," Aflac says.

In a statement provided to Information Security Media Group, Aflac says that upon becoming aware of the data incident involving its business in Japan, the company immediately activated its response plan in compliance with government and industry standards along with its internal information security protocols.

"The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes. The data, which did not include personally identifiable information was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers. We place the highest priority on protecting the data entrusted to us and will continue to leverage our robust, industry-leading risk management program to fight the ever-evolving cybercrime practices," the statement says.

Zurich Data Leak

Aflac's Japanese cancer insurance policyholders were not alone in having their data leaked this week. Zurich Insurance on Tuesday disclosed a similar data security incident affecting auto insurance policyholders, also in Japan and involving an external third-party contractor.

The data of nearly 760,000 Zurich auto insurance policyholders was leaked this week in a vendor hack.

Zurich, in a statement provided to ISMG, says 757,463 current and former customers of its "Super Automobile Insurance" - a local motor insurance product - were affected by the incident.

Credit card numbers or bank account information were not affected, Zurich says.

Personal information that may have been leaked includes last names in Katakana characters, gender, date of birth, email address, policy number, customer ID, vehicle name, grade, and other items related to automobile insurance policies, Zurich says.

"There is no indication that any customer data outside of Japan have been compromised," it added.

UTC 13:22 Jan. 12: Article was updated with clarification from Aflac that 3.2 million Aflac records were accessed in the incident and 1.3 million policyholders were affected.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.