LINE Yahoo, a major IT company in Japan, recently faced a significant setback. In November, the company announced a potential data breach impacting approximately 440,000 users of the LINE app, with confirmed leaks in about 390,000 cases.
The Data Breach
The leaked information included details that could potentially identify users, such as age, gender, and call frequency, covering over 20 different data points. Additionally, around 22,000 pieces of data considered private under Japan’s constitution’s “secrecy of communications” were believed to have been leaked.
Following the breach, Japan’s Minister of Internal Affairs and Communications, Junji Suzuki, criticized the company at a press conference for failing to protect user information adequately. The Ministry of Internal Affairs and Communications demanded a report based on the Telecommunications Business Act. There’s frustration in Nagatacho, a political hub in Japan, regarding the company’s apparent lack of urgency and awareness as an essential infrastructure provider.
This isn’t the first time LINE Yahoo’s lax information management has been highlighted. In 2021, it was discovered that a subcontractor in China had access to LINE users’ personal information, including names, phone numbers, email addresses, and even conversations and photos in the app’s “Talk” feature. LINE was administratively guided by the government’s Personal Information Protection Commission and the Ministry of Internal Affairs and Communications to reflect deeply on its practices.
The Current Breach
The recent breach’s root cause may be linked to China, raising concerns about the potential compromise of sensitive information of Japanese officials. One factor in the cyber-attack was the presence of parent company Naver. LINE Yahoo and Naver share a common authentication foundation due to their employees using the same systems, which allowed access to LINE Yahoo’s internal network. The breach occurred through a Naver subsidiary’s computer infected with malware, which then accessed LINE Yahoo’s server.
The company’s response has been criticized for its delay. The unauthorized access was detected eight days after it occurred, and it took 18 days to block server access. The public disclosure of the data breach happened a month after recognizing the high likelihood of external unauthorized access.
The data breach has raised questions about LINE Yahoo’s strategic decisions, particularly regarding the integration of IDs from ZHD and LINE. The plan was to mutually direct traffic between LINE (with 96 million users) and Yahoo (54 million users) to boost their struggling e-commerce business. However, the data breach delayed these plans, and the integration was only realized in October. There are growing concerns among users and investors about the safety of this ID integration.
Impact on Business Operations
The data breach has had far-reaching impacts, including LINE Yahoo’s decision to cancel a planned bond issuance in early December. The issuance, intended for institutional investors to refinance existing debts, was supposed to raise about 50 billion yen but was called off due to the crisis.
Softbank, a major shareholder, is deeply concerned. Junichi Miyakawa, known as a close associate of SoftBank’s Masayoshi Son, had planned the merger of LINE and Yahoo to revitalize Yahoo through the integration with LINE’s users and the “PayPay” smartphone payment service. However, the data breach has cast doubt on this strategy. The integration of LINE, Yahoo, and PayPay, scheduled for fiscal 2024, now faces an uncertain future.
A telecommunications industry insider commented, “For Miyakawa, LINE has been full of miscalculations. It’s a pity because common sense does not apply there.”
A SoftBank associate lamented, “While LINE’s development capabilities and speed are commendable, their defensive weaknesses are frustrating. Trust recovery seems the only way forward.”
LINE Yahoo’s recent data breach highlights the complexities and challenges in managing user data securely, especially in a rapidly evolving digital environment. The company now faces the significant task of rebuilding trust and ensuring stringent security measures to prevent future breaches.