LY Corp Submits Final Security Report After 2023 Data Breach

Tokyo, Japan - LY Corporation has submitted its final progress report to Japan's Personal Information Protection Commission (PPC) and Ministry of Internal Affairs and Communications (MIC) detailing the implementation of security measures following a 2023 data breach.

The report summarizes the implementation status of measures to prevent the recurrence of the unauthorized access that was first announced in November 2023 and later updated in February 2024.

"We will continue to take corrective action for the inadequacies in our technical and organizational safety management measures," said Takeshi Idezawa, President and Representative Director, CEO of LY Corporation, in the company statement. We will also endeavor to reestablish all trust and make every effort to ensure that our users and relevant parties can utilize our services with confidence and peace of mind."

According to the company's report, LY Corporation has completed several major security enhancements, including separating private networks between NAVER Cloud Corporation and LY Corporation, separating authentication systems, and switching security operations center (SOC) monitoring from NAVER Cloud to a Japanese company.

The document outlines specific implementations, including installing firewalls to permit only necessary communications between data centers, comprehensively inspecting network access controls, and applying two-factor authentication across all internal systems employees use.

LY Corporation has also conducted penetration tests with external security firms to evaluate the effectiveness of its security measures and established a system for responding to incidents, including fact-finding and investigation protocols. 

These protocols have been tested through multiple exercises since December 2024.

According to the report, the company has revised its subcontractor management practices by implementing new security risk assessment criteria and standards. 

This includes distributing company-issued personal computers to subcontractors with network access privileges, which was completed by the end of March 2025.

As part of its governance review, LY Corporation has been working to reduce dependencies on NAVER and its affiliates. 

The company reported completing the termination of outsourcing relationships with NAVER Group companies outside of NAVER and NAVER Cloud by March 2025, with plans to end remaining outsourcing to NAVER and NAVER Cloud by December 2025.

The company continues to monitor for potential secondary damage from the original breach, though no such incidents have been confirmed as of the report submission date.

LY Corporation maintains a dedicated webpage disclosing measures to prevent recurrence, progress made, and other related information.