Learning Crisis Management and the Role of Lawyers from the Case of Information Leakage of 650,000 Cases at Tōken Corp.

On April 1, 2005 (Heisei 17), the Japanese Personal Information Protection Law was fully implemented, and businesses handling personal information are obliged to take safety management measures. However, incidents of personal information leakage are unceasing.

When an information leakage incident occurs, the response procedure and speed are particularly important. Especially in small and medium-sized enterprises without specialized information security staff, it is conceivable that they may not be able to decide how to respond immediately.

Therefore, this time, based on the response of Tōken Corporation to the information leakage incident, we will explain the crisis management system for information leakage.

Overview of Information Leakage

The main details regarding the information leakage caused by unauthorized access at Tōken Corporation are as follows:

• Occurrence: Over a period of 24 days from August 20, 2020, to September 12, 2020
• Discovery: October 20, 2020
• Cause: The server storing various user information was illegally accessed by a third party via the group’s homepage
• Target: Inquirers to the group company’s site, members, and applicants for various campaigns
• Information: “Email address”, “Name”, “Address”, “Phone number”, “Password”, “Gender”, “Date of birth”, etc.
• Number of cases: There is a possibility of information leakage in a total of 657,096 personal information cases

Discovery of Unauthorized Access and Initial Response

On October 20, 2020, Tokken Corporation discovered unauthorized access to their operated website “Naslack Kitchen” during a regular inspection of their website, and took the following initial actions.

• As an emergency security measure, “Naslack Kitchen” was shut down and all services provided from the site were suspended.
• An “Information Security Measures Headquarters” was established and consultations were held with external third-party organizations.
• By November 11, a survey of the entire group’s websites was conducted, temporary vulnerability corrections were made, and the maximum number of leaks and items were confirmed.

Key Points of Initial Response

When the risk of information leakage due to unauthorized access is confirmed, the following measures must be taken immediately to prevent the spread of damage, secondary damage, and recurrence.

• Confirmation of the facts (cause of unauthorized access, route, etc.)
• Shutdown of the device or site that was subjected to unauthorized access
• Disconnection of the device or site that was subjected to unauthorized access from the network

What needs to be careful at this time is to take measures to preserve evidence so as not to erase the evidence left on the system without making careless operations.

Press Release Following the Discovery of Information Leakage

The initial announcement was made on the homepage of Tōken Corporation on November 17, 2020 (Reiwa 2).

The announcement detailed the overview of the unauthorized access, future countermeasures, and other information. It also included a comprehensive Q&A section regarding the information leakage incident due to unauthorized access.

Tōken Corporation and our group companies (hereinafter referred to as our group) confirmed on October 20, 2020 (Reiwa 2), that our group’s network had been subjected to unauthorized access by a third party. As a result, there is a possibility that personal information such as inquiries to Home Mate, which is operated by our group, member information of group companies, and applicant information for various campaigns, etc., may have been leaked externally.

About the leakage of personal information due to unauthorized access[ja]

The “Q&A on the Information Leakage Incident Due to Unauthorized Access”[ja] linked on the above web page includes the following content:

About the Content of the Leaked Information

Q: What information was leaked this time?
A: We believe that “name”, “address”, “telephone number”, “email address”, and “password” have been leaked on all sites, including those operated by our group companies.

Q: Was credit card information leaked?
A: Our sites, including those operated by our group companies, do not hold any information such as credit card numbers or My Number (Japanese Individual Number) that can be used for personal identification, so there is no risk of leakage.

In explaining the leaked information, it is possible to avoid unnecessary anxiety and confusion by clearly stating ① information that may have been leaked and ② information that is not at risk of leakage.

About Future Measures

Q: Is it safe to continue using the sites, including those of Tōken’s group companies?
A: Security enhancements against similar unauthorized access have been completed on all sites operated by our group, including group companies.

Q: How will you manage information in the future?
A: In the future, we will undergo checks by third-party investigation agencies as necessary, and if any vulnerabilities are found on the site, we will immediately correct them and strive for stricter information management.

In future measures, it is important to carefully explain the security response of the site that the user was using, the possibility of reuse, and the future information management system.

Q&A on Damage Compensation, etc.

Q: Will apology money or nuisance fees be paid to those who suffered damage from the information leakage?
A: Based on the information leaked due to this unauthorized access, we do not plan to pay apology money or nuisance fees. However, if you have suffered financial damage due to this information leakage and can present specific evidence, please consult with our “Personal Information Consultation Desk”.

Q: There was a withdrawal that I don’t remember. Can I get compensation?
A: If there has been a withdrawal from your account that you do not remember, we ask that you directly contact the company that made the withdrawal. Also, if it is confirmed that this information leakage led to a withdrawal that you do not remember, we apologize for the inconvenience, but please report to our “Personal Information Consultation Desk”.

The company clearly states its policy that it will not pay apology money or nuisance fees, but it will individually consult on damage compensation in case financial damage occurs due to information leakage.

Questions Remain About the Timing of the Initial Press Release

As part of corporate crisis management, it is necessary to prioritize “preventing the spread of damage”, “preventing secondary damage”, and “preventing recurrence”.

Therefore, when an information leakage is discovered, it is important to notify the relevant parties as soon as possible after taking initial response measures.

While Tōken Corporation’s Q&A carefully answers a wide range of anticipated questions, suggesting that it was prepared in close consultation with experts such as lawyers in advance, questions remain about the announcement being made about a month after the discovery of unauthorized access.

Indeed, as a company, it would want to make an announcement after conducting investigations and measures, but shouldn’t the following four points have been announced earlier as a first report?

• Discovery of information leakage and the expected targets
• Content of the leaked personal information
• There is no possibility of leakage of credit information such as card numbers
• Future structure and schedule
• Contact point for inquiries

Key Points for Notification, Reporting, and Disclosure

When information is leaked, it is necessary to consider notifying users and business partners, reporting to supervisory authorities and the police, and disclosing information through websites and the media, depending on the cause and content of the information.

In Case of Criminal Activity

If there is a possibility of a crime related to unauthorized access, it is necessary to investigate the facts and take evidence preservation measures, and then promptly report to the police.

In the case of Tōken Corporation, a damage report was made to the Ministry of Land, Infrastructure, Transport and Tourism and the Aichi Prefectural Police Headquarters the day after the investigation of the entire group’s website was completed.

In Case of Possible Leakage of Personal Credit Information

If there is a possibility of leakage of My Number, credit card numbers, bank accounts, IDs, passwords, etc., it is necessary to promptly notify the person and urge them to stop these to prevent secondary damage.

In Case of Large Scale or Wide Impact, or When Individual Notification to All Stakeholders is Difficult

Information will be disclosed through website publication or press releases. However, if there is a possibility that disclosure may lead to further damage, consider the timing and target of the disclosure.

Also, ensuring transparency and disclosing facts as much as possible when making a public announcement will not only lead to corporate trust but also prevent further damage and similar accidents.

Announcement of the Second Press Release

On February 9, 2021, after the start of the new year, Tōken Corporation announced the second report on the leakage of personal information on their website, and made corrections to the leaked items and the number of leakages.

As a result of a re-investigation of the leaked items by a third-party forensic investigation, some differences were confirmed. Therefore, we kindly ask you to check again in Appendix 1 “About the Items for Each Site/Service”. (Excerpt) The maximum number of leaks has been revised from 657,096 cases to 655,488 cases.

The content was essentially the same as the initial press release, with minor additions such as how to deal with spam and suspicious emails. This announcement was the final one.

The Central Role of the Crisis Response Headquarters

Following the discovery of unauthorized access, Tōken Corporation has established an ‘Information Security Headquarters’. This body is committed to preventing recurrence by collaborating with external third-party organizations and the police.

While the structure of this organization is unclear, it is necessary to simultaneously carry out not only system security measures but also communication with targeted users, media response, shareholder response, and consideration of legal responsibilities. Generally, the participation of the following external third-party organizations and experts is required:

• Major software companies
• Leading security specialist vendors
• External lawyers with deep knowledge in cybersecurity

Summary

In cases like this, where a large-scale personal information leak exceeding 650,000 cases has been discovered, the importance of “initial response” and “notification, reporting, and public announcement” centered on the countermeasure headquarters, as well as “security measures,” cannot be overstated.

Speed is particularly required not only for the initial response but also for notifications and reports to the police and relevant government agencies, as well as public announcements (press releases) to stakeholders.

However, if you handle the situation incorrectly, you may be held liable for damages. Therefore, rather than making judgments on your own, we recommend proceeding with prior consultation with a lawyer who has extensive knowledge and experience in cybersecurity.

If you are interested in crisis management during Capcom’s information leakage due to malware, please see the article for a detailed description.

https://monolith.law/corporate/capcom-information-leakage-crisis-management[ja]

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the Internet, and law. Our firm handles the creation and review of contracts for various cases, ranging from companies listed on the Tokyo Stock Exchange Prime to venture companies. If you are in trouble, please refer to the article below.