Dec 22, 2023
Report Regarding Possible Information Leak
As disclosed in “Notice Regarding Possible Information Leak” on December 7, 2023, we were made aware that files containing personal information created on a cloud service used by Ateam Inc. and its subsidiaries could possibly be viewed on the Internet. As the investigation of this matter has concluded, we would like to report our findings and our efforts to prevent reoccurrence.
As previously reported, after this incident became known, access to the files on the cloud service were restricted, and the files in question can no longer be viewed.
On November 21, 2023, we discovered that personal information in files located on the cloud service “Google Drive” used by our group could possibly be viewed through the following method. Permissions for the files were set to “Anyone on the internet with the link can view”, allowing anyone who knew the exact URL link to access the files.
Information pertaining to business partners, customers, and employees such as device identification numbers, customer management numbers, e-mail addresses, names were included within the viewable records. Sensitive personal information or personal data that may cause property damage were not included in the data.
The discovery of the potential leak was made after a report checking the accuracy of a security product being considered for implementation detected files that were at risk.
1.Parties Who May Be Affected
￭Customers who have used services and applications operated by our group
(ii) Business Partners
￭Business partners whom has contracted or done business with us
￭Business partners who have had correspondence with the group’s employees via e-mail or other means
(iii) Candidates for Employment
￭New graduates and mid-career recruits who have applied to our group
￭Students who participated in internships at our group
￭Employees of our group (including retired employees)
2.Regarding Potentially Leaked Information
After our extensive investigation, the following personal information may have been leaked.
Number of Potentially Leaked Files and People Affected
￭Number of files containing personal information: 1,369
￭Number of people affected: 935,779
* The number of people affected was determined by any information that could be uniquely linked to an individual and does not include duplicates.
Number of Potential Personal Information Leaks
The number of people whose personal information may have been viewed is as follows.
※Companies that have submitted reports to Japan’s Personal Information Protection Commission (PIPC) are counted.
※The breakdown of the number for (ⅳ) Employees is omitted.
Content of Potentially Leaked Information
The following information may have been leaked. We have confirmed that no sensitive personal information or personal data that may cause property damage is included with in the affected data.
※Information from companies that have submitted reports to PIPC is listed above.
※Viewable information varied depending on the file.
3.Period in which Information was Viewable
March 2017 to November 22, 2023
※The start of the period was determined by the creation date of the oldest files.
※The period differs depending on the creation date of each file.
The discovery was made after a report checking the accuracy of a security product being considered for implementation detected files that were at risk. An investigation of the files managed by Google Drive, the cloud service used by Ateam, revealed on November 21, 2023 that some personal information could be viewable on the Internet.
On November 22, 2023, after the discovery of this incident, we restricted access to files on the cloud service so the personal information was no longer viewable if the file’s link was known and started an investigation into the matter.
After this incident came to light, we promptly submitted a preliminary report to PIPC, and then disclosed details regarding the status of our investigation in “Notice Regarding Possible Information Leak” on our corporate website on December 7, 2023.
We submitted a final report to the PIPC on December 20, 2023 after concluding our investigation.
Permissions for files containing personal information created in the cloud service “Google Drive” were incorrectly set to “Anyone on the internet with the link can view”.
6.Contacting Affected Parties
Since December 20th, we have been notifying parties individually by e-mail whose personal information may have been leaked regarding the current situation and future preventative measures we plan to take.
In addition, the notice of this incident has been disclosed on each corporate website of our group. We have established a contact point for inquiries regarding this incident for those who are concerned with the possibility of personal information leak, which is listed at the end of this notice.
7.Possibility of Secondary Damage
At the time of this announcement, there has been no confirmation whether any unauthorized use of data or other damages have occurred.
We ask those who were potentially affected to be careful with any suspicious inquiries. We will make every effort to prevent the damage from spreading. However, in the unlikely event that damage caused by a third party is confirmed, please contact us at the e-mail addresses listed below.
8.Reoccurrence Prevention Measures
As measures to prevent reoccurrence in the future, we will strive to (i) strengthen monitoring through security tools, (ii) review file sharing settings and permissions, and (iii) increase awareness of officers and employees regarding the handling of personal information.
(i) Strengthen Monitoring Using Security Tools
The Information Systems Division will strengthen security monitoring using tools and reduce the risk of information leaks through strict data management protocols.
(ii) Review File Sharing Settings and Permissions
For cloud services that manage and share files, such as “Google Drive,” we have checked permissions and external sharing has been limited by disabling settings.
(iii) Increase Awareness of Officers and Employees Regarding the Handling of Personal Information
We aim to increase the awareness of the management of personal information by strengthening management systems, revising regulations and rules, and thoroughly familiarizing employees with the information. In addition, we plan to invite an external third-party lecturer to provide training for officers and employees.
We take this situation seriously and will make every effort to strengthen and thoroughly manage personal information to prevent such a situation from occurring again in the future. We would like to express our apologies for any inconvenience and concern we have caused to anyone that was affected.
For inquiries regarding this incident, please contact us at the e-mails listed below.