/

July 10, 2026

Hackers Spent 10 Days Inside Aflac Japan — Would Your Business Have Noticed?

One of the biggest insurance names in the world just disclosed a breach that exposed the personal information of roughly 4.38 million people. But the number that should stop every business owner is not the four million. It is ten — as in, the ten days attackers spent inside Aflac Japan’s systems, coming and going repeatedly, before anyone noticed. And even then, they were not caught by an alarm. They were caught by a side effect: someone noticed the systems were running under unusually heavy load and went looking for the reason.

Sit with that. A giant company, in one of the most regulated and security-conscious industries on earth, hosted intruders for a week and a half — and the tip-off was a performance hiccup. Now ask the only question that matters for your own business: if attackers were inside your systems right now, quietly coming and going, what exactly would notice them? For most small businesses, the honest answer is: nothing, and no one.

What happened, at a glance

WhoAflac Life Insurance Japan — the Japanese arm of the Fortune 500 insurance giant
WhenAttackers accessed systems repeatedly between June 15 and June 25, 2026 — roughly ten days of undetected access
How it was caughtA surge in system load and traffic prompted an investigation — not a security alarm
Who was affectedAbout 4.38 million customers and agents, via the company’s customer portal systems
What was takenNames, addresses, phone numbers, birthdates, and insurance account details; roughly 230,000 people also had premium-payment bank account information exposed (no credit cards, and no confirmed misuse so far)
The aftermathSystems suspended, services disrupted, regulators and police notified — the company’s second major breach disclosure in about a year

The ten-day problem

Security people have a term for the time attackers spend inside before discovery, but you do not need the jargon to grasp what it means. Picture a burglar who does not smash and grab, but instead quietly moves into your stockroom — coming back night after night, reading your files, copying your keys, learning your routines, and taking a little more each visit. Every additional day is more data gone, more accounts mapped, more damage banked. The break-in is a moment; the occupation is where the real harm accumulates.

The uncomfortable lesson: Aflac Japan was not caught sleeping — they detected an anomaly, investigated it, contained it, notified regulators, and told the public within days. That is the response of a company with resources and a plan. The intruders still got ten days and 4.38 million records. Now imagine the same visitors inside a business where nobody is watching the systems at all.

Why this lands on small businesses harder

In a small business, there is no security team watching dashboards and no baseline of “normal” to compare against. Industry studies have found that intrusions at smaller organizations routinely go undiscovered not for days but for months — often until a bank, a customer, or a criminal’s ransom note delivers the news. The intruder does not need to be brilliant; they simply need to be somewhere nobody looks. And most small business networks are exactly that: a collection of systems, accounts, and devices that were set up, trusted, and never watched again.

The second lesson in this story is about where the attackers struck: the customer portal — the always-on, internet-facing system where customers log in and data lives. Every business now has some version of this. Your website’s login area. Your booking system. Your client dashboard. Your online store. These customer-facing doors are open to the whole world by design, they hold your most sensitive information by necessity, and at most small businesses they were configured once and have not been seriously examined since.

Three honest questions to ask this week

  • Would we notice? If someone were inside your systems right now, what — specifically — would detect them? If the answer is “I guess we’d notice something weird eventually,” that is the same as no.
  • What’s exposed to the internet? Which of your systems can be reached by anyone in the world, and when did a knowledgeable person last actually look at them?
  • What would ten days cost us? If an intruder had a week and a half of quiet access to everything your business stores, what would they leave with — and could you even reconstruct what they touched?

Get eyes on your environment

The takeaway in one line: the breach you find on day one is an incident; the breach you find on day 300 is a catastrophe. The difference is not luck — it is whether anyone is actually watching.

That is what our environment review is for. We take a plain-language look at your business — what is exposed to the internet, where your sensitive data lives, what protections are actually in place, and whether anything would notice an uninvited guest — and we give you the honest picture before someone else writes it for you. No jargon, no scare tactics, no obligation. Aflac Japan found out what ten unnoticed days cost. The better plan is making sure nobody gets ten minutes.

Sources: Aflac SEC filing; The Japan Times; SecurityWeek; BleepingComputer; The Record, June-July 2026.

From the same category