Notification and apology for leakage of customer information due to unauthorized access

1. Summary report

Summary

Cause of leak: Infiltration of the pertinent servers due to unauthorized access, and theft of files

Servers involved in leak

Server (AP-A): Server providing dedicated websites for specific corporate clients

Server (Web-B): Server communicating with settlement agent company

Dates of leak

Server (AP-A): April 24-30, 2013

Server (Web-B): February 5, 2013

Customers involved in the leak

Server (AP-A): Customers who used dedicated websites of corporate clients during the period from July 1, 2008 to April 30, 2013

Server (Web-B): Customers covered by either (1) or (2) below
(1)Customers who signed up from the following website
www.telecomsquare.co.jp
(2)Customers who have not paid at our airport counters
during the period from June 1, 2012 to February 5, 2013

Customers not involved in the leak

Customers who used the following website for the first time on or after February 6, 2013
www.telecomsquare.co.jp

Customers who used any of the websites, including the dedicated sites of corporate clients, on or after May 1, 2013

All customers who applied directly at one of our airport counters, and paid at that counter, are not involved, regardless of when they used our services.

Maximum number of cases involved

According to the investigation report, the maximum number of cases for which there are concerns about leakage due to unauthorized access is 97,438.

Number of cards involved in unauthorized use

At present, the number of cards reported to be involved in unauthorized use is 270.

Information for which there is possibility of leakage

Server (AP-A): Company name/position, personal name, address, e-mail address, telephone number, card holder's name, card number, expiration date of users of dedicated sites of corporate clients

Server (Web-B): Only card number and expiration date.
*Our company does not keep the security codes on the back side of cards.

Measures at the present time to limit further unauthorized use

All of the applicable cards have been placed under the monitoring system of the card companies to limit further harm to customers.

Explanation of each server

• Server (AP-A): This server provides dedicated websites for specific corporate clients. Until it was stopped on April 30, it was operated inside our company's head office.
• Server (Web-A): This server provides websites, for a large number of corporate clients not using Server (AP-A), for signing up customers especially for each corporate client. It was operated via an external cloud service until August 11.
• Server (Web-B): This server is for communicating with the settlement agent company. It was operated via an external cloud service until August 11.
• Database servers of basic system: These servers manage order entry information for approx. 1 million cases for our company. Starting from January 2012, these have been operated by our company in a data center.

Configuration of servers until April 30, when the leak occurred

2. Response for customers

Fees for reissuing cards, etc.

Our company will pay fees for reissuing cards due to this incident. In addition, we have notified the card companies of our intention to do so.

Notification to customers by our company

Notification to card companies by customers

If a customer wishes to have their card reissued, or has an inquiry relating to the content of a bill from a credit card company, the involved customers should contact their credit card company at the telephone number on the back side of the credit card that the customers used for our service. If information on this incident has not reached the card company, please notify our company's inquiry liaison indicated below.

Regarding the fact that information was posted on our website today

From the time when this incident was first recognized, our company has maintained close contact with relevant organizations, and we have taken protective measures for our customers' credit cards. In addition, the scope of the leak was limited, in the beginning, to a few corporate clients, and thus we first posted information on the dedicated sites of the pertinent corporate clients. However, on September 12, the card companies presented us with additional information on unauthorized users, and the scope of notification broadened to ordinary customers. This is why information was posted on our company's site only today.

3. Report on results of investigation

Background thus far

1. (1) August 1 (Thurs.): Notified by card companies about suspicions of unauthorized card use. Requested Verizon to conduct an investigation on August 2 (Fri.).
2. (2) August 9 (Fri.): Interim report presented by Verizon, pointing out the possibility of intrusion and theft of files due to unauthorized access. Card information involved in the unauthorized use tended to be used in signing up from server (AP-A), and thus the card companies were requested to monitor use of all cards on the pertinent server to limit further damage. At the same time, we began reporting to corporate clients who used the pertinent server.
3. (3) August 13 (Tues.): Made first report to relevant police department. For servers other than the pertinent server, we completed relocation to a data center and began operation by our company as a security measure planned from the beginning.
4. (4) August 29 (Thurs.): Presented with final report (1st version) by Verizon, pointing out the possibility of 2,773 cases of leakage of card information. However, the report did not go as far as specifying the leaked information. At our company, we compared the results of an internal investigation against the content of the above report, totaled the information during the entire service provision period of server (AP-A), and determined that there were 6,441 cases involved in the leak.
5. (5) September 4 (Wed.): Received final report (2nd version), and reported to the relevant authorities.
6. (6) September 10 (Tues.): Began notification to individual customers of corporate clients who used server (AP-A) in the past.
7. (7) September 12 (Thurs.): Final report (3rd and final version) submitted by Verizon. Additional information on unauthorized users submitted by card companies. Number of cases of information leakage determined to be 97,438.

Investigation results and identification of the scope of the leak

General investigation results

According to the investigation results of Verizon, traces of unauthorized access from the outside were found in server (AP-A) which was operated inside our company, and in server (Web-A) and server (Web-B) which were operated via an external cloud service.

However, the leaked data could not be identified due to problems such as loss of logs, and thus all data which existed even at one time in the past on server (AP-A), (Web-A), or (Web-B) was taken to be the maximum scope of the leak in the final report (3rd and final version) from Verizon. The number of sets of card information involved is 97,438 cases.

Investigation results for each server

Server (AP-A): The investigation results stated that "it is reasonable to believe that the location where the series of data items was stolen is server (AP-A)." At our company we determined the maximum scope of leakage to be all information stored in the service provision period (i.e., the past 5 years).
*Server (AP-A) was rebooted on April 24 (unintended by our company), but it was determined that the OS automatically rebooted due to intensive processing by the server, and an investigation was not conducted at that time. Problems occurred again after that, and thus operation was stopped on April 30. Data held on May 1 was transferred to a server inside a data center.

Server (Web-A): Traces of unauthorized access were discovered as a result of the investigation, but April 16 (the date when unauthorized use occurred) was before May 22 (when there was an intrusion into this server). For this and other reasons, the report stated that "the probability of leakage from this server is low."

Server (Web-B): The investigation results stated that "the probability that credit card numbers were stolen is believed to be low." However, it was determined that there was information leakage based on new information on unauthorized use provided by card companies on September 12.

Basic database server: Based on investigation results, no traces of intrusion were discovered, and there was determined to be no possibility of leakage.

4. Measures to prevent recurrence in the future

Measures already taken and future efforts

We have solemnly faced up to this situation, and our entire company is making efforts as a team to strengthen information security based on the points indicated by Verizon and the results of our in-house investigation. In addition, we will start a project on October 1, 2013 in which we will rely on Secom Trust Systems for consulting support to achieve compliance with PCI-DSS Ver. 2.0, the aforementioned security standard established by the 5 major credit card brands. The measures we have already taken prior to that are as follows.

Switching of all systems from cloud servers to servers operated by our company in a data center

By August 13, we had relocated server (Web-A) and server (Web-B), which had been using cloud services, to a data center with a high security level, in accordance with our longstanding plan. We also strengthened log maintenance and took the following measures to prevent unauthorized access.

Adoption of IPS (Intrusion Prevention System)

On August 21, we adopted the IPS network-level intrusion prevention tool for all servers operated by our company in our data center.

Adoption of WAF (Web Application Firewall)

On August 29, we adopted the WAF application-level tool to prevent unauthorized use for all web-related servers operated by our company in our data center. At the same time, we developed a 24-hour manned monitoring system.

Renovation of basic system

Our company's new basic system, which we had already been developing, uses a system which does not retain card information. We plan to switch to the new system during fiscal year 2013.

Configuration of servers subsequent to August 29 after measures were taken

In addition to system-based efforts, we believe it is essential, as the real underlying issue, to improve the awareness and skills of personnel relating to operations. More specifically, in parallel with the process for acquiring PCI-DSS certification, we will provide training with support from outside educational organizations, strengthen our management system to ensure uniform implementation of the operation process, reinforce staff by outsourcing some operation work, and take other necessary measures.