Japan: Issued PPC outline on the state of improvement of LINE Yahoo following personal information breach

On 22 May 2024, the Japanese Personal Information Protection Committee (PPC) published an outline of the measures implemented by LINE Yahoo in relation to the leakage of personal information. The incident occurred when a computer used by an employee of a Korean company, a business contractor of LY Corporation, became infected with malware, leading to unauthorised access to LY Corporation's information system and resulting in the leakage of personal data related to LINE. As of 26 April 2024, LY reported some advancements, including the implementation of two-factor authentication and the installation of firewalls between LY and NAVER Cloud (NC) data centres. PPC noted that despite these improvements, a number of security enhancements remain incomplete or are still in the planning stages. In particular, the delineation of responsibilities between LY and the contractor has proven to be a significant impediment to the implementation of a comprehensive system for the secure management of personal data. The organisational structure has been found to be ineffective in promptly addressing such security issues. LY continues to maintain extensive network connections without implementing adequate access control measures, which impedes the timely response to data breaches and other incidents. LY has devised a plan to separate the authentication infrastructures for systems managed by LY and its overseas subsidiaries. This plan is scheduled for completion by March 2025 for LY and by December 2026 for its overseas subsidiaries. The company is required to expedite improvements with a reporting deadline set for 28 June 2024.