Notice With Respect to Yahoo! BB Customer InformationNovember 30, 2004
On the evening of November 24, 2004, Nikkei BP presented us with data, described as Yahoo! BB customer information, that included the (1) names, (2) addresses, (3) telephone numbers, and (4) mobile phone numbers of 900 persons. A check revealed that this data matched a small portion of Yahoo! BB customer information for the period from March 11-22, 2003. However, the data did not include company-specific information such as users’ Yahoo! Japan IDs, and at present it is not clear if this information was taken from the company’s database. Below is a summary of our findings to date.
We would like to offer our sincere apologies to our customers and all of the parties involved for the trouble and concern that this matter has caused.
1. Content of data
(1) Names, (2) Addresses, (3) Telephone numbers, (4) Mobile phone numbers
- *Credit and security information such as credit card numbers, passwords, and records of use was not included.
2. Volume of data (No. of persons)
3. Results of check and inferences made by the company
- (1) The data on the 900 persons was found to match a small portion of the company’s customer information.
- (2) The data was found to match a small portion of data for the period between March 11 and March 22, 2003. If the data is in fact the company’s data, there is a strong possibility that it was withdrawn during this period.
- (3) The characteristics of the data suggest that it belongs to a population of client service-based customer application data (names, addresses, telephone numbers, mobile phone numbers) on as many as approximately 86,000 persons, data that was housed temporarily on a departmental server. However, since credit and security information such as credit card numbers and passwords is not kept inside the company to begin with, there is no possibility that such information was stored on this server.
4. Relation to attempted extortion of Yahoo! BB and inferences made by the company
- (1) The data in question is from the period between March 11 and March 22, 2004, and therefore falls outside of the period when the culprits in the attempted extortion case are seen to have withdrawn their data (June 2003 and January 2004); moreover, the characteristics of the previous set of data do not match those of this case. Thus, the data in question does not appear to belong to the same set of data involved in the attempted extortion incident. However, there is a possibility that people involved in the improper access to the company database in June 2003 and January 2004 adopted a similar method (using another person’s account and password) to access the server previously, and withdrew information as a kind of preliminary test.
- (2) The company customer information leaked in the attempted extortion incident has been confiscated by the police and destroyed by the offenders. Moreover, given the fact that we have had no reports of false requests for payment, there appears to be no secondary leakage.
5. Measures taken to date to strengthen the customer information management system
In March of this year, the company greatly strengthened its customer information management system, implementing as many as 649 measures, including the cutting off of client database development operations from the network, drastically reducing the number of persons with access authority (currently three people), establishing a high-security area, introducing the Bio Authentication System, and strengthening efforts to educate employees. Moreover, with measures such as the establishing of a Technical Advisory Board that allows the company to receive the advice outside experts, no effort is being spared with respect to customer information management. Irrespective of the fact that the incident in question occurred prior to the implementation of these measures, we will continue to mobilize the entire company to ensure that no effort is spared to ensure proper customer information management.
- The information is true and accurate at the time of publication.
Price, specification, contact and other information of products and service may be subjected to change. The information contains certain forward-looking statements that are subject to known and unknown risks and uncertainties that could cause actual results to differ materially from those expressed or implied by such statements.