Aflac, Zurich Policyholders in Japan Affected by Data LeaksSubcontractor Server Hacked in Both Incidents; Data of Millions Compromised
Personal information for more than 1.3 million Aflac cancer insurance policyholders and almost 760,000 Zurich Insurance auto insurance policyholders is on the dark web following a hack on a third-party contractor.
Neither company named the data leak site or third-party vendor involved with its breaches, so it is unclear if the incidents are related. Affected individuals from both hacks reside in Japan.
In an apology published Tuesday, Aflac's Japanese unit says it confirmed information it received on Jan. 9 about customer information being posted onto a criminal data breach forum. A hacker took the data from a server used by an external outsourced contractor, Aflac says.
Personal information leaked include policyholders' last name, age, gender, insurance type number, coverage amount and premiums.
A total of nearly 3.2 million records were accessed in the incident. More than 1.3 million customers enrolled in the company's "new cancer insurance" and "super cancer insurance" policies were affected by the breach, Aflac says.
"Since it is not possible to identify [affected individuals] personally with only the above personal information items leaked to the information leakage site, we believe that the possibility that the leaked information will be misused by a third party is extremely low," Aflac says in its Japanese notice to affected customers.
Aflac says it has reported the incident to Japan's Financial Services Agency and other relevant organizations and will continue to investigate the incident in cooperation with external experts.
"In addition, the external company that was the source of the leak has already deleted the customer's information from the server they are using, and we are taking measures to prevent further information leaks," Aflac says.
In a statement provided to Information Security Media Group, Aflac says that upon becoming aware of the data incident involving its business in Japan, the company immediately activated its response plan in compliance with government and industry standards along with its internal information security protocols.
"The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes. The data, which did not include personally identifiable information was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers. We place the highest priority on protecting the data entrusted to us and will continue to leverage our robust, industry-leading risk management program to fight the ever-evolving cybercrime practices," the statement says.
Zurich Data Leak
Aflac's Japanese cancer insurance policyholders were not alone in having their data leaked this week. Zurich Insurance on Tuesday disclosed a similar data security incident affecting auto insurance policyholders, also in Japan and involving an external third-party contractor.
Zurich, in a statement provided to ISMG, says 757,463 current and former customers of its "Super Automobile Insurance" - a local motor insurance product - were affected by the incident.
Credit card numbers or bank account information were not affected, Zurich says.
Personal information that may have been leaked includes last names in Katakana characters, gender, date of birth, email address, policy number, customer ID, vehicle name, grade, and other items related to automobile insurance policies, Zurich says.
"There is no indication that any customer data outside of Japan have been compromised," it added.
UTC 13:22 Jan. 12: Article was updated with clarification from Aflac that 3.2 million Aflac records were accessed in the incident and 1.3 million policyholders were affected.