Tokyo, Japan—The Personal Information Protection Commission has issued an administrative order to LINE Yahoo Corporation (LY) regarding a data leak that affected approximately 520,000 individuals.
The leaked data included information on LINE users, business partners, and employees.
The leak originated from a PC owned by an employee of Company A, a security maintenance company in South Korea that had a business contract with LY.
Between September 14th and October 27th, 2023, the infected PC allowed attackers to gain unauthorized access to LY's information systems through the network of NAVER Cloud.
This South Korean company provides IT services to LY.
Of the 520,000 individuals affected, 339,995 had confirmed data breaches, while 120,511 were at risk of potential data exposure.
The leaked information included LINE users' service usage history, which could reveal personal behavioral patterns, financial status, interests, and preferences.
The Commission found deficiencies in LY's organizational security management measures, such as inadequate oversight of outsourced companies handling personal data and insufficient access control to critical systems storing sensitive user information.
It recommended that LY establish an organizational structure to ensure thorough security management and improve its systems to prevent and respond to data breach incidents.
In 2021, Japan's data protection authority instructed LY to improve the supervision of outsourced data handling after a previous incident.
The recurrence of data breaches has increased regulatory pressure on LY to strengthen its data protection measures.
