Insurance company Aflac has disclosed a data breach affecting millions of customers after attackers compromised its Japan subsidiary. This is the latest in a string of breaches at large organizations’ Japanese entities disclosed in recent weeks, alongside incidents at other companies operating in the region.
Breaches at regional subsidiaries of multinational companies often follow a similar pattern: the subsidiary operates on its own IT infrastructure, with security controls, monitoring, and incident response maturity that can lag significantly behind the parent company’s global standard. Attackers who profile large targets are aware of this gap and specifically target the weaker regional entity as an entry point, rather than attacking corporate headquarters directly.
For an insurance company, customer data typically includes policy details, personal identifiers, and potentially health or financial information — data that carries significant regulatory exposure and is highly valuable on criminal marketplaces. The scale of “millions of customers” suggests the compromised systems had broad access to centralized customer records rather than being limited to a small regional dataset.
Organizations with international subsidiaries should treat this as a prompt to audit whether regional entities are held to the same security baseline as headquarters — logging coverage, patch cadence, access controls, and incident response readiness — rather than assuming global policy automatically translates into consistent local execution.