Aflac Life Insurance Japan, a subsidiary of the US insurance giant Aflac, says attackers broke into its policyholder portal and stole personal data belonging to about 4.38 million customers and agents. The intruders accessed systems repeatedly between June 15 and June 25, when the breach was detected through a surge in traffic, and the company suspended affected systems in response. Exposed data includes names, addresses, phone numbers, dates of birth, gender, and insurance account details, plus premium payment account information for roughly 230,000 people; no credit card data was taken. Aflac says the incident is limited to its Japan systems and does not affect its US operations.
Japanese telecom giant KDDI has disclosed a breach of an email platform it operates for itself and several internet service providers, potentially exposing the email addresses and passwords of up to 14.22 million mailboxes. KDDI detected the intrusion on June 17, blocked the attacker the same day, and traced the entry to a vulnerability in unnamed third-party software used by the email system. Six ISPs are affected, including JCOM, Nifty, and Biglobe, and the figure covers current, former, and inactive accounts. KDDI says some passwords were hashed or encrypted but has not said how many were stored in plaintext, and is urging all affected users to change their passwords.
Kyushu Electric Power, one of Japan's largest utilities, has disclosed a physical security incident: a storage drive containing the personal data of more than 10.9 million customers went missing. Because the exposure stems from lost media rather than a network intrusion, the risk depends largely on whether the drive was encrypted, a detail that determines if the data is readable by whoever finds it. The incident is a reminder that data-governance failures, like unencrypted or poorly tracked portable storage, can expose as many records as a sophisticated hack. Affected customers should watch for fraud and phishing attempts referencing their utility account.
Kaspersky tracked a China-based group called Silver Fox running a tax-themed phishing campaign against organizations in India, Russia, Indonesia, Japan, and South Africa. Phishing emails impersonate the Indian Income Tax Department or Russian tax service with subjects about audits or 'lists of tax violations.' Inside the attached archive sits a modified Rust loader that pulls down a known backdoor called ValleyRAT, plus a brand-new Python-based backdoor called ABCDoor. ABCDoor handles screen recording, keystroke control, clipboard theft, and file operations. Kaspersky logged 1,600+ phishing emails between January and February 2026 across industrial, consulting, retail, and transportation sectors.