Last Update: March 31, 2025
The following is a summary of the progress made on the recurrence prevention measures reported to Japan’s Ministry of Internal Affairs and Communications (“MIC”) on April 1, 2024.
The items and progress details of the recurrence prevention measures are also available in the summary of the reports submitted to the MIC.
| April 1, 2024 |
Report on MIC’s Administrative Guidance Dated March 5, 2024 (Summary) |
|---|---|
| July 1, 2024 |
Report Submitted on July 1 in Response to MIC’s Administrative Guidance on March 5 and April 16, 2024 (Summary) |
| September 30, 2024 | |
| December 27, 2024 | |
| March 31, 2025 |
| Administrative Guidance |
LY Corporation's Measures | Progress of Measures | Next Steps | |
|---|---|---|---|---|
| 1. Reviewing of safety management based on separating networks from NAVER Cloud | Separate the networks of NAVER Cloud and the former LINE environment, and reinforce protections for LY Corporation's servers/networks and internal systems | Block unnecessary telecommunications from NAVER and NAVER Cloud | Underway ・ Completed setting up firewalls and blocked unnecessary telecommunications as of March 2024 (March 2024) ・ Reviewed firewall policy accompanying the relocation of servers/data to Japan, changed settings, and deleted unnecessary firewall policies (June 2024) ・ Completed the formulation of plans on the termination/reduction of outsourcing (June 2024) ・ Removed firewall policies deemed unnecessary during configuration maintenance conducted once every three months (completed September 2024) ・ After conducting a total inspection of the connection paths between the external environment and former LINE data centers, completed corrective actions based on the inspection results (inspection completed at end of August 2024, corrective actions completed at the end of September 2024) ・ Drafted plan on outbound communication control from former LINE data centers to NAVER Cloud data centers (end of August 2024) ・ Completed application of firewall policies to outbound communications (end of October 2024) ・ Completed inspection of firewall policies for outbound communications (end of December 2024) ・ Built application process for adding new firewall policies for outbound communications (end of December 2024) ・ Blocked unnecessary telecommunications from NAVER and NAVER Cloud accompanying the separation from systems managed by NAVER and NAVER Cloud and termination of consignments to these companies (end of March 2025) |
Continuously conduct maintenance of firewall policies |
| Apply two-factor authentication to systems used by our employees | Completed ・ Completed application except for some systems in the former Yahoo Japan environment (March 2024) ・ Completed the distribution of authentication devices and application of two-factor authentication to employees working in restricted areas where bringing in of smartphones are not allowed (end of June 2024) ・ Applied two-factor authentication to remaining systems in the former Yahoo Japan environment, and completed application of two-factor authentication to all internal systems used by our employees (end of October 2024) |
- | ||
| Separate systems from NAVER and NAVER Cloud | Underway ・ Completed system separation from NAVER and NAVER Cloud, excluding systems containing data used for accounting audits and tax reporting (end of March 2025) |
Regarding employee systems: End of March 2026 – Systems used by Japanese subsidiaries End of March 2026*1 – Systems used by subsidiaries outside of Japan |
||
| Separate authentication systems | Cease using authentication system managed by NAVER Cloud and replace it with our own | Underway ・ Ceased using our management systems that were directly linked to NAVER's authentication system and switched over to our own separate one (March 2024) ・ Completed operational separation (June 2024) ・ Completed separation of LY Corporation's authentication system through the system separation at the end of March 2025 (end of March 2025) |
End of March 2026 – Complete separation of authentication systems used by Japanese subsidiaries End of March 2026*1 – Complete separation of authentication systems used by subsidiaries outside of Japan |
|
| Establish an independent operational structure for SOC (Security Operation Center) | Transfer SOC Tier 1 duties to SOC structure under LY Corporation and our other Japanese group companies | Completed ・ Migrated the monitoring logs managed by NAVER Cloud to a Japanese company (March 2024) ・ Drafted an improvement plan for incident response system and completed external evaluation (end of June 2024) ・ Started conducting SOC Tier 1 monitoring in Japan (October 2024) ・ Conducted periodic exercises on incident response multiple times (December 2024 to March 2025) |
Continuously conduct periodic exercises on incident response | |
| 2. Reviewing of safety management measures | Rectify management of Active Directory | Completed (March 2024) | - | |
| Strengthen access control on critical systems | Completed ・ Defined critical systems and the required safety management measures and completed building a mechanism for identifying/evaluating risks of critical systems (end of June 2024) ・ Completed incorporating the above in a regulation (July 1, 2024) ・ Completed identification of critical systems (September 2024) ・ Confirmed compliance of critical systems with safety management measures and completed correction of non-compliant areas (confirmation completed in October 2024, correction completed at end of December 2024) ・ Formulated review implementation plans for safety management measures that meet current trends (November 2024) |
- | ||
| Form countermeasure plans with an outside company | Completed ・ Received proposals from an outside company (March 2024) ・ Issued reminder and performed e-learning on storage of passwords (end of April 2024) ・ Confirmed that measures are appropriately implemented in NAVER Cloud environment (end of May 2024) ・ Disabled management share functionality in the servers of our data centers (June 2024) |
- | ||
| Verify effectiveness along with fundamentally improving and strengthening cybersecurity measures/security monitoring | Completed ・ Penetration test conducted by an external company and drafted corrective action plan on items identified (end of August 2024) ・ Analyzed current status and validated effectiveness with an outside organization to review mechanisms for behavior-based detection, etc. and rules for correlation analyses, etc. (end of August 2024) ・ Implemented all of the detection rules that had been planned, based on the effectiveness verification results of behavior-based detection and correlation analysis rules (February 2025) ・ Corrected items identified in the penetration tests and considered framework for correction, etc. (end of March 2025) |
Continuously review detection rules, introduce formulated frameworks, and conduct periodic monitoring of improvements | ||
| 3. Reviewing of subcontractor management measures | Review subcontractor management measures | Review standards for assessing security risks at subcontractor companies | Completed (March 2024) | - |
| Consider methods of supervision and formulate/implement standards to effectively manage subcontractors based on the risks involved | Completed Completed establishing internal regulations/organizations and started evaluating suppliers and project risks (July 2024) |
To be sequentially implemented under said structure | ||
| Create safety management/cybersecurity measures | Completed ・ For subcontractors with accounts issued by LY Corporation, implemented two-factor authentication for accessing our networks (January 2024) |
- | ||
| Lend PCs to subcontractors for the purpose of enabling us to confirm any breaches and their extent | Completed*2 ・ Started loaning out PCs to subcontractors with accounts issued by LY Corporation (March 2024) ・ Completed loaning out PCs to subcontractors performing our work, blocked access from PCs not loaned from LY Corporation, and deleted accounts deemed unnecessary (lending of PCs completed at end of September 2024, access blocked and accounts deleted in October 2024) ・ Completed loaning out PCs to subcontractors other than those noted above that have access to LY Corporation’s network, blocked access from PCs not loaned from LY Corporation, and deleted unnecessary accounts (end of March 2025) |
- | ||
| Manage and supervise NAVER Cloud's safety management measures | Conduct on-site investigations and request corrective action of NAVER Cloud and other subcontractors involved in the incident | Completed ・ Conducted an on-site investigation at NAVER Cloud and requested them to take corrective action (February 2024) ・ Conducted on-site investigations at other subcontractors involved in the incident and terminated contracts with them (end of March 2024) ・ Conducted audit on NAVER Cloud based on the content of the outsourcing (from February to April and June 2024) ・ Confirmed that the requested corrective actions have been taken (end of June 2024) |
Continue periodic audits towards NAVER Cloud | |
*1 The original December 2026 completion date has been moved up to March 2026.
*2 There are some subcontractors with which access is not blocked, but risk mitigation measures are taken with the approval of LY Corporation’s CISO. For details, please refer to the Report Submitted on March 31, 2025 (Summary).
We are reviewing and strengthening security governance across the entire Group.
Please refer to the “Report Submitted on March 31, 2025 in Response to MIC's Administrative Guidance on March 5 and April 16, 2024 (Summary)” for details on the measures taken and the latest status.
Report Submitted on March 31, 2025 in Response to MIC's Administrative Guidance on March 5 and April 16, 2024 (Summary)
We opened this page on April 1, 2024 to serve as a place to disclose information to our users.
Along with information on the countermeasures we are taking to prevent a recurrence, we will promptly update the page whenever there is information that needs to be published in the interest of protecting our users.
Regarding administrative guidance issued by the Ministry of Internal Affairs and Communications
Submission of Report to Ministry of Internal Affairs and Communications and Opening of Dedicated Incident Page
Regarding Administrative Guidance Issued by the Ministry of Internal Affairs and Communications
Submission of Report to the Ministry of Internal Affairs and Communications Dated July 1, 2024
Submission of Report to the Ministry of Internal Affairs and Communications Dated September 30, 2024
Submission of Report to the Ministry of Internal Affairs and Communications Dated December 27, 2024
Submission of Report to the Ministry of Internal Affairs and Communications Dated March 31, 2025