Global insurer Aflac’s Japanese branch has revealed that personal data describing more than three million customers of its cancer insurance product has been leaked online.
The company has apologized [PDF in Japanese] to customers and admitted that their surname, age, gender, and insurance cover were all leaked.
The insurer claims that’s not enough information to identify individual customers, and rates the likelihood of misuse as “extremely low”.
The breach is nonetheless notable because Aflac has blamed it on a US-based contractor to which it outsources some work. Aflac’s apology states the contractor’s servers were accessed from January 7.
Aflac has not named the contractor, and The Register has not been able to find reports of similar breaches or leaks.
The Register has also visited a prominent forum that lists stolen data and offers it for sale, and found a sample of data from Aflac. The date of the post matches the timeline Aflac outlined, and the sample data appears to include over 40 fields – some with names that appear to indicate they describe benefits to which members are entitled.
Aflac’s breach was revealed on the same day that Swiss insurer Zurich reportedly admitted that data describing over two million of its Japanese customers has leaked.
Again, The Register was able to find a claim of just such a database being available on a data breach forum, along with data from an earlier breach of Zurich describing over four million customers (but with only 4,190 email addresses).
The Register has asked Aflac for more details on its breach, including the identity of the contractor that leaked the info, and approached Zurich for comment. ®