Rakuten, Inc. has confirmed that certain data related to Rakuten Ichiba merchants and prospective merchants who have requested materials about Rakuten Ichiba stored in a cloud-based sales management system provided by an external company has been accessed by unauthorized third parties. In response to this incident, Rakuten completed a revision of all related system settings on November 24, 2020, the same day the unauthorized access was confirmed, and is investigating the unauthorized access. After the related system settings were changed, no unauthorized access of this type has been identified. Additionally, as of this date, Rakuten has not identified any direct damage to businesses related to this unauthorized access.
Rakuten sincerely apologizes for any inconvenience or anxiety caused to current or prospective business customers as a result of this incident.
Please see below for an outline of the incident and the measures taken to address it.
1.Overview
On November 24, 2020, Rakuten was notified by an external information security expert alerting the company to the fact that certain data related to Rakuten Ichiba merchants and prospective merchants who have requested materials about Rakuten Ichiba stored in a cloud-based sales management system used by Rakuten was accessible by a third party. On the same day, Rakuten launched an internal investigation led by the company's information security department and completed a revision of all related system settings.
Additionally, as a result of this investigation, the company confirmed that a subset of data managed by Rakuten related to businesses had been accessed by unauthorized third parties located outside Japan. Rakuten has identified no unauthorized access since the related system settings were updated. In the event that any new impact of this incident is identified, Rakuten will provide timely updates as appropriate.
2. About the data potentially made accessible by unauthorized third parties
Rakuten, Inc: Data related to Rakuten Ichiba merchants and prospective merchants who have requested materials about Rakuten Ichiba
Data categories: Company name, shop name, address, merchant representative name, contact person name, phone number, fax number, email address and sales-related information regarding some merchants or potential merchant customers of Rakuten Ichiba.
Accessible period: January 15, 2016 to November 24, 2020
Maximum number of accessible data records: Up to 1,381,735 data records (of which, 208 data records were confirmed to have been accessed by unauthorized third parties)
3. Reason for unauthorized access
Insufficient security settings within the cloud-based sales management system provided by an external company.
4. Countermeasures taken to date
Rakuten has taken the following countermeasures.
1)Revised settings for cloud-based sales management system
As of November 24, 2020, the same day the unauthorized access was confirmed, the settings for the cloud-based sales management system have been changed to prevent external access from third parties. Rakuten has identified no unauthorized access of this type since the related system settings were changed.
2)Notification to businesses whose information may have been viewed
Rakuten Ichiba is reaching out to related businesses with details on what has occurred and contact information in the event that any damage is found.
3)Reported to the Personal Information Protection Commission
Rakuten has submitted a report based on the results of Rakuten's internal investigation to the Japanese government's Personal Information Protection Commission.
5. Dedicated contact center for this incident
※Contact center regarding this issue was closed at the end of May.
6. Measures to prevent future occurrences
The privacy and security of data is of the highest level of priority to Rakuten and this incident is being treated accordingly. We are currently increasing security measures for using cloud-based sales management systems provided by external companies and will continue to thoroughly review and revise these methods on a regular basis in order to ensure data privacy and security and prevent reoccurrences of similar incidents.