Regarding "Report on Unauthorized Access and Apology for Information Leakage" on March 10, 2017
We sincerely apologize for any concern and inconvenience this may have caused our customers and related parties.
25 Jan 2018
The PCI DSS re-audit was completed after steadily implementing all the measures to prevent recurrence described in the "Notice of Investigation Report of the Recurrence Prevention Committee" dated May 1, 2017.
We will continue to work to improve information security and strengthen our risk management system.
June 5, 2017 Continued
On June 5, 2017, as stated in the "Resumption of the Danshin Special Contract Fee Credit Card Payment Site" announced by the Housing finance Support Organization, the "Danshin Special Contract Fee Credit Card Payment Site" will be reopened from 16:00 on June 5, 2017 (Monday).
We have implemented measures to prevent recurrence based on the cause of this incident, and have confirmed safety through an audit by a third-party specialist company. With this content, we have obtained the consent of the Independent Administrative Agency Housing finance Support Organization, so we have decided to resume it.
May 1, 2017 Follow-up
"Notice Concerning the Investigation Report of the Recurrence Prevention Committee" has been disclosed.
For details, please refer to the following URL.
URL:https://corp.gmo-pg.com/newsroom/pdf/170501_gmo_pg_ir-kaiji-02.pdf
April 19, 2017 Follow-up
On April 19, 2017, the Tokyo Metropolitan Government Taxation Bureau announced the resumption of the "Tokyo Metropolitan Tax Credit Card Payment Site" from 9:00 a.m. on Monday, April 24, 2017.
We have implemented measures to prevent recurrence based on the cause of this incident, and have confirmed safety through an audit by a third-party specialist company. With this agreement, we have obtained the agreement of Toyota Finance Corporation and the Tokyo Metropolitan Government Main Tax Bureau, and we have decided to resume the "Tokyo Metropolitan Tax Credit Card Payment Site" from 9:00 a.m. on Monday, April 24, 2017.
The timing of the resumption of the "Group Credit Life Insurance Special Contract Credit Card payment Site" has not yet been decided, but we are working to reopen it as soon as possible.
April 17, 2017 Follow-up
On April 17, 2017, we submitted a report based on the Personal Information Protection Act, which was requested by Ministry of Economy, Trade and Industry by April 24, 2017 regarding the unauthorized acquisition of personal information by our unauthorized access, to Ministry of Economy, Trade and Industry as "Report based on the provisions of Article 32 of the Act on the Protection of Personal Information" based on verification by the Recurrence Prevention Committee.
We will continue to work company-wide to promote measures to prevent recurrence and strengthen security in an effort to regain the trust of our customers.
April 14, 2017 Follow-up
As a result of an investigation by a security specialist and our company, the number of illegally obtained information on the "Metropolitan Tax Credit Card Payment Site" and the "Group Credit Life Insurance Special Contract Credit Card payment Site" has been determined as follows.
The following figures are for each item, and do not represent the total number obtained illegally by adding up each item.
"Metropolitan Tax Credit Card Payment Site"
・Credit card number and expiration date: 364,181
・E-mail address: 362,049
"Group Credit Life Insurance Special Contract Credit Card payment Site"
・Credit card number and expiration date: 40,872
・ Security Code (*): 31,124
・E-mail address (*): 28,552
Address: 39,085
・Phone number: 37,380
・Name and date of birth: 36,377
The Security Code and e-mail address are applicable to customers who have applied for credit card payment through the "Group Credit Life Insurance Special Contract Credit Card payment Site". Since Security Code and email address are not required for paper applications, the number is less than the number of credit card numbers.
The reason for the decrease from the number of cases announced at the beginning (https://corp.gmo-pg.com/news_em/20170310.html#em00) is that the number of cases initially announced is the maximum value that includes duplicate information (e.g., customers who have payment multiple times with the same card), and the duplicate number is excluded.
At this time, we have not confirmed any fraud of fraudulently obtained credit card information.
April 4, 2017 Follow-up
We would like to report on unauthorized access to the "Tokyo Metropolitan Tax Credit Card Payment Site" and "Group Credit Life Insurance Special Contract Credit Card payment Site".
Since March 10, 2017, Payment Card Forensics Co., Ltd., a security company, has been conducting an investigation into the status of information leakage.
In the "Final Incident Investigation Report" dated March 31, 2017, the following three points were confirmed.
- Unauthorized access to the "Tokyo Metropolitan Tax Credit Card Payment Site" has been confirmed, and it has been found that the information of "credit card number, expiration date, and e-mail address" has been illegally obtained.
The scope of unauthorized access remains the same as in the report on March 10, 2017. - Unauthorized access to the Group Credit Life Insurance Special Contract Credit Card payment Site has been confirmed, and it has been found that the information reported on March 10, 2017 has been illegally obtained.
The scope of unauthorized access remains the same as in the report on March 10, 2017. - No unauthorized access was confirmed for our services other than the above two sites.
We take the contents of this report seriously, strive to prevent recurrence, strengthen security, and do our utmost to resume operations as soon as possible.
Once again, we sincerely apologize for the great concern and inconvenience caused to our customers and related parties.
March 30, 2017 Follow-up
We have received information that we have received a suspicious SMS (*) from a company that deceives GMO's trademark and trade name requesting immediate contact.
GMO Payment Gateway, Inc. and GMO Internet Group will not send you an SMS requesting a call back. SMS asking for such a return call may be a scam that attempts to obtain personal information illegally.
If you receive an SMS that you don't recognize, please do not contact the phone number listed.
A short message service that sends and receives messages from a mobile phone number as the destination
March 17, 2017 Follow-up
As stated in the "Update on the possibility of unauthorized access to the system of GMO Payment Gateway, Inc., an outsourced company, and the leakage of personal information" released by the Japan Housing Finance Agency on March 17, 2017, of the information that may have been leaked from the Japan Housing Finance Agency's group credit life insurance special premium credit card payment site, security codes and email addresses may have been leaked only to customers who applied for credit card payment via the "group credit life insurance special site."
March 14, 2017 Follow-up
Establishment of the "Recurrence Prevention Committee"
As announced in the "Report on Unauthorized Access and Apology for Information Leakage" announced on March 10, 2019, the Tokyo Metropolitan Tax Credit Card Payment Site and Independent Administrative Agency Housing finance Support Organization's Group Credit Life Insurance Special Contract Credit Card payment Unauthorized access by a third party has been confirmed on the site. It turns out that information may have been leaked.
We sincerely apologize for any concern and inconvenience this may have caused our customers and related parties.
The Company takes this situation seriously and is working company-wide on the possibility of information leakage due to unauthorized access and issues related to the development and operation of the Company's system, but in order to implement even more advanced measures, it was decided at the extraordinary Board of Directors meeting held on March 14, 2019 to establish a "Recurrence Prevention Committee" that includes external expert advisors. I would like to report to you.
Record
1. Composition of the Recurrence Prevention Committee (titles omitted)
| chairman | Issei Ainoura | President & Chief Executive Officer |
| committee member | Ryu Muramatsu | Director Executive Vice President |
| committee member | Satoru Isozaki | Director Executive Vice President |
| committee member | Yuichi Hisada | Senior Managing Director |
| committee member | Yasuhiko Kimura | director |
| committee member | Shinichi Sugiyama | director |
| committee member | Masaru Yoshioka | director |
| committee member | Yoshinobu Nakamura | Yoshinobu Nakamura Law Office Attorney at Law |
| Expert Advisors | Tetsuya Oi | TMI Associates Attorney at Law |
| Expert Advisors | Kuniyoshi Shirai | Professor, Graduate School of Public Relations and Information Studies, The Graduate School of Social Informatics |
| Expert Advisors | Takayuki Okochi | Payment Card Forensics Co., Ltd. Forensics Senior Consultant |
2. Role of the Recurrence Prevention Committee
- Regarding the possibility of unauthorized access and information leakage, we will verify the system and operational aspects.
- In order to improve the overall security level of our systems, we will verify the development and operation of our systems based on the knowledge and experience of our expert advisors, and formulate measures to prevent recurrence.
- We will implement and monitor measures to prevent recurrence, and strive for continuous improvement and further improvement of the security level.
We sincerely apologize for any concern and inconvenience this may have caused. We will make company-wide efforts to prevent recurrence and strive to regain the trust of our customers.
Above
March 13, 2017 Follow-up
Beware of suspicious phone calls, emails, letters, and visits.
There was information that there was a phone call saying, "Your credit card information has been leaked, please give me your credit card number and Security Code because we need to take action urgently." Although the relevance to this case is unknown, credit card companies, government agencies, and governments do not make such inquiries, so please be careful not to give out any information.
March 12, 2017 Follow-up
- Since the number of outflows announced at the beginning was the maximum (total number), we are currently scrutinizing the number of cases that could have actually been leaked. Specifically, we identify duplicate credit card information (customers who have paid multiple times with the same card).
- We accept customer inquiries 24 hours a day.
[Note]
- Customers who have used credit card payment of the special contract fee of the Independent Administrative Agency Housing finance Support Organization
From Monday, March 20th, the reception hours have been changed to "9 a.m. ~ 9 p.m."
After Monday, May 1st, the reception hours will be "9 a.m. ~ 5 p.m."
* The inquiry window will be until June 23 (Friday).
*Updated on Tuesday, June 20 - Customers who used the Tokyo Metropolitan Government's Tokyo Metropolitan Tax Credit Card Payment Site
From Saturday, April 8th, the reception time has been changed to "9 am ~ 9 pm".
After Monday, May 1st, the reception hours will be "9 a.m. ~ 5 p.m."
* The inquiry window will be until Friday, May 12th.
*Updated on Monday, May 1
- On Friday, March 10, a system investigation (forensic investigation) by a security company was initiated and is still ongoing.
10 Mar 2017
Dear customers,
GMO Payment Gateway, Inc.
Report of unauthorized access and apology for information leakage
GMO Payment Gateway, Inc. (hereinafter referred to as "the Company") has confirmed that unauthorized access by a third party has been confirmed and information may have been leaked on the Tokyo Metropolitan Government's Metropolitan Tax Credit Card Payment Site and the Group Credit Life Insurance Special Contract Credit Card payment Site operated by the Independent Administrative Agency Housing finance Support Organization.
We sincerely apologize for the great concern and inconvenience caused to our customers and related parties due to this situation.
1. Unauthorized access
Unauthorized access exploited by exploiting a vulnerability in Apache Struts2, an application framework, resulted in the Tokyo Metropolitan Government's Tokyo Metropolitan Tax Credit Card Payment Site and the Group Credit Life Insurance Special Contract Credit Card payment Site of the Independent Administrative Agency Housing finance Support Organization. It has been found that the following information may have been leaked. At this time, we have confirmed that there are no similar problems with our services other than the two affected sites.
2. Information that may have been illegally accessed
■ Tokyo Metropolitan Government Metropolitan Tax Credit Card Customers who used the payment site (total number of cases where credit card information may have been leaked: 676,290)
| 1 | Credit card number and credit card expiration date | 61,661 |
| 2 | 1 plus email address | 614,629 |
■ Customers who used credit card payment for the special contract fee of Danshin finance Support Organization (total number of cases in which credit card information may have been leaked: 43,540 cases)
| 1 | Credit Card Numbers, Credit Card Expiration Dates, and Security Code, date of application for card payment, address, name, telephone number, date of birth |
622 |
| 2 | In addition to 1, email address and subscription month | 27,661 |
| 3 | 1 plus email address | 5,569 |
| 4 | 1 plus the month of enrollment | 9,688 |
3. Background of the investigation and countermeasures
■3/9(Thurs)
18:00
Based on the information in the Information-technology Promotion Agency, IPA's "Vulnerability Countermeasures for Apache Struts2 (CVE-2017-5638) (S2-045)" (*1) and JPCERT's "Alert Regarding Vulnerability in Apache Struts 2 (S2-045)" (*2), we have started investigating the impact on our systems.
(※1)https://www.ipa.go.jp/security/ciadr/vul/20170308-struts.html
(※2)https://www.jpcert.or.jp/at/2017/at170009.html
20:00
We have completed the identification of the systems that are subject to the vulnerability. Began to consider countermeasures.
21:56
WAF (*3) blocks access due to the corresponding fraud pattern. [Measure 1]
At the same time, we began investigating the possibility of unauthorized access.
*3 WAF (Web Application Firewall): A security countermeasure system that protects against attacks targeting websites and web applications running on them.
23:53
Since traces of unauthorized access were confirmed, the system on which "Apache Struts 2" is running was completely stopped. Switched to a backup system that was not connected to the network. [Measure 2]
■3/10(Fri)
00:30
Vulnerability countermeasures for "Apache Struts 2" were implemented in the backup system of [Countermeasure 2]. [Measure 3]
As a result of the investigation, we confirmed unauthorized access to the Tokyo Metropolitan Government's Tokyo Metropolitan Tax Credit Card Payment Site and the Group Credit Life Insurance Special Contract Credit Card payment Site of the Housing finance Support Organization.
02:15
It was confirmed that there is a high possibility that data was illegally obtained on the Tokyo Metropolitan Government's Tokyo Metropolitan Tax Credit Card Payment Site and the Group Credit Life Insurance Special Contract Credit Card payment Site of the Independent Administrative Agency Housing finance Support Organization.
06:20
Determine the nature and number of potentially compromised information.
08:40~
Report to the Tokyo Metropolitan Government's Tokyo Metropolitan Tax Credit Card payment Site Operator and the Independent Administrative Agency Housing finance Support Organization. Discuss countermeasures.
4. Future Measures to be Taken in Relation to the Incident
For customers whose credit card information has been leaked, we will proceed with the response in consultation with the target credit card company. In addition, in considering measures to prevent recurrence, we have started a system investigation by a security specialist company from today. In parallel, we will cooperate with the police in the investigation.
5. Inquiries regarding this matter
■ Customers who used the Tokyo Metropolitan Government's Tokyo Metropolitan Tax Credit Card Payment Site
Dedicated dial: 0120-180-600 (toll-free)
| Reception hours | 9 a.m. ~ 9 p.m. After May 1 (Mon), 9 a.m. ~ 5 p.m. * The contact point for inquiries will be until Friday, May 12th. *Updated on Monday, May 1 |
■Customers who used credit card payment of the special contract fee of the Independent Administrative Agency Housing finance Support Organization
Dedicated dial: 0120-151-725 (toll-free)
| Reception hours | 9 a.m. ~ 9 p.m. After May 1 (Mon), 9 a.m. ~ 5 p.m. * The inquiry window will be until June 23 (Friday). *Updated on Tuesday, June 20 |
We sincerely apologize for any concern or inconvenience this may have caused.