Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: pii (2 articles)Clear

Aflac Japan breach exposes personal data of 4.38 million customers and agents

Aflac Life Insurance Japan, a subsidiary of the US insurance giant Aflac, says attackers broke into its policyholder portal and stole personal data belonging to about 4.38 million customers and agents. The intruders accessed systems repeatedly between June 15 and June 25, when the breach was detected through a surge in traffic, and the company suspended affected systems in response. Exposed data includes names, addresses, phone numbers, dates of birth, gender, and insurance account details, plus premium payment account information for roughly 230,000 people; no credit card data was taken. Aflac says the incident is limited to its Japan systems and does not affect its US operations.

Check
Aflac Japan policyholders and agents should watch for their notification letter, stay alert to phishing and fraud referencing Aflac or insurance accounts, and monitor bank accounts used for premium payments.
Affected
About 4.38 million Aflac Japan customers and agents whose personal and insurance data was exposed, including premium payment account details for roughly 230,000; the breach is limited to Aflac's Japan systems.
Fix
Affected people should monitor accounts for fraud and be cautious of insurance-themed phishing. Organizations should tighten access to customer portals, enforce phishing-resistant MFA, and monitor for unusual access and data exfiltration.

Booking.com confirms data breach exposing guest reservation details - phishing wave already targeting travelers

Booking.com has confirmed unauthorized access to its systems that exposed guest reservation data including names, email addresses, phone numbers, postal addresses, booking details, and any messages shared with accommodation providers. The company began emailing affected customers over the weekend but did not send alerts via the Booking.com app, creating confusion about whether the notification emails were legitimate. Booking.com says financial data was not accessed. The company has reset PIN numbers for affected reservations. The number of impacted users has not been disclosed, though Booking.com lists 6.8 billion bookings since 2010 across 30+ million properties. Reddit users are already reporting scam messages from people who appear to have real reservation details, suggesting attackers are using the stolen data for targeted phishing. The Register notes this follows a similar 2021 breach pattern where attackers compromised hotel staff logins to access the platform.

Check
If you or your employees have upcoming Booking.com reservations, be on high alert for phishing emails and messages that reference real booking details. The scams will look convincing because the attackers have the actual reservation data.
Affected
Anyone with active or recent Booking.com reservations. The exposed data (names, emails, phones, addresses, booking details, messages to hotels) gives attackers everything needed for highly targeted phishing.
Fix
Do not click links in any emails claiming to be from Booking.com or your booked hotel - go directly to booking.com to check your reservations. Verify that your booking PIN has been reset (Booking.com says they've done this automatically). Watch for emails requesting payment changes, 'verification' of card details, or 'reservation confirmations' that link to non-booking.com domains. If you uploaded passport or ID copies for your reservation, monitor for identity fraud. Note that passport/ID exposure was not confirmed by Booking.com but many hotels require these documents.