LINE Yahoo response does not satisfy Ministry of Internal Affairs and Communications
On March 5, 2024, the Ministry of Internal Affairs and Communications issued administrative guidance titled “Regarding Thorough Protection of Communications Secrecy and Ensuring Cybersecurity” to LINE Yahoo Corporation. On April 1, the company submitted a report on its efforts to prevent recurrence of data leakage incidents.
According to the report, while some emergency measures have been implemented, the safety management measures and management of contractors cannot be considered sufficient at this point. Additionally, the prospect of a thorough review of the group-wide security governance structure, including the parent company, is not necessarily clear. Therefore, it was determined that the company needs to accelerate its countermeasures and reviews.
Details of the Measures
Based on the above, the Ministry has this week issued further written administrative guidance (below) to LINE Yahoo, demanding the implementation of the following measures and clear reports on the implementation status and plans:
- Fundamental review and strengthening of safety management measures and contractor management in light of this incident, and acceleration of countermeasures
- Acceleration of consideration for a substantial review of group-wide security governance, including the parent company
- Thorough response to users through regular public updates on the progress of efforts
The Ministry will continue to provide necessary guidance and supervision to protect communications secrecy and ensure cybersecurity.
Administrative Guidance (April 16, 2024)
On April 1, 2024, your company submitted a report to our ministry on your policy and implementation status regarding the necessary measures for preventing recurrence, based on the administrative guidance issued by our ministry on March 5, 2024 demanding thorough protection of communications secrecy and ensuring cybersecurity.
According to the report, while some emergency measures such as applying two-factor authentication have been implemented, there are still many unimplemented measures despite having implementation plans. From the perspective of protecting communications secrecy and ensuring cybersecurity, it is difficult to say that safety management measures and contractor management are sufficient at this point (in particular, it is stated that complete separation of the network from the NAVER side will not be achieved for more than two years). There is a need to accelerate the countermeasures.
Additionally, regarding the fundamental review and strengthening of the security governance for the entire group including the parent company, the report stated that there is a “policy to gradually reduce and terminate the outsourcing relationship with the NAVER side, including outsourcing of service development operations and utilization of service infrastructure systems”, not just the outsourcing of internal system/network operations to the NAVER side. However, at this point, it is only stated that “basic verification is being carried out toward realization”, and no specific measures have been presented as to which outsourcing relationships will be reduced, terminated, or maintained, and by when.
As for the review of the relationship where you receive a considerable degree of capital control from the NAVER side, which is your outsourcing partner, the report only states that you have made a “request to review the capital relationship” to your parent company, A Holdings Inc., “in order to realize an objective relationship where LINE Yahoo can sufficiently manage the outsourcing partner without being influenced by the capital relationship with the NAVER side, which provides multiple system usages and technical support.”
As pointed out in the March 5, 2024 Administrative Guidance, in order to make the countermeasures effective and surely prevent recurrence of similar incidents, it is required to construct a security governance system for the entire group including the parent company, to enable proper management and supervision of the outsourcing partner, including the review of the relationship where you receive a considerable degree of capital control from the outsourcing partner. However, as mentioned above, the report submitted on April 1 does not clearly show the prospect of a sufficient review being conducted for this purpose.
Your company should re-recognize that the LINE service you provide is a service used daily by the majority of the Japanese public, including public institutions such as local governments. You should also share this recognition with the entire group of companies including your parent company. In addition to reporting on the progress of the “request to review the capital relationship”, you need to accelerate your consideration of the necessary measures to construct a security governance system.
Accordingly, we request that you take the following measures. Please report specifically and clearly on the status of implementing these measures and your implementation plan by July 1, 2024.
(1) Acceleration of the fundamental review and strengthening of safety management measures and contractor management based on this case
- For the safety management measures and contractor reviews for which a clear implementation plan has not been formulated at the current stage, formulate a plan promptly and submit it, and steadily promote its implementation (in particular, formulate a clear plan promptly and implement it for the measure to separate the network that has been shared between your company and the NAVER side)
- Steadily implement the countermeasures planned for future implementation, and if possible, bring forward the schedule and implement them earlier
- Regarding the countermeasures already implemented or planned to be implemented within the next year (especially the separation of the authentication infrastructure and independent operation of the SoC operations), continuously monitor the progress of the plan and verify its effectiveness from the perspective of preventing recurrence, and take additional measures as necessary
(2) Acceleration of consideration for the fundamental review of the security governance for the entire group including the parent company
- Regarding the “policy to gradually reduce and terminate the outsourcing relationship with the NAVER side” stated in the report, report on the basic approach and the specific scope of targets for the “outsourcing to the NAVER side” subject to this policy; in particular, clarify whether the use of systems or services provided by the NAVER side is included in the scope
- Based on the above, formulate and report a specific plan for realizing the “policy to gradually reduce and terminate the outsourcing relationship with the NAVER side” (specifying which outsourcing relationships will be reduced, terminated, or maintained, and by when)
- Promptly conduct a review for the entire group including the parent company, regarding the revision of the management structure to enable proper management and supervision of the outsourcing partner, including the review of the relationship where you receive a considerable degree of capital control from the outsourcing partner, and report the results of the review specifically.
(3) Thorough response to users by regularly disclosing progress on initiatives
- Continue to monitor for secondary damage and provide appropriate information to users regarding this case, and regularly update and disclose information on the initiatives described in (1) and (2) above and their progress to ensure user understanding
Please follow us to read more about Finance & FinTech in Japan, like hundreds of readers do every day. We invite you to also register for our short weekly digest, the “Japan FinTech Observer”, on Medium or on LinkedIn. Our global Finance & FinTech Podcast, “eXponential Finance” is also available through its own LinkedIn newsletter, or via our Podcast Page.
Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup. In any case, our YouTube channel and LinkedIn page are there for you as well.
