Information and Progress on Measures to Prevent Recurrence in Accordance with PPC’s Request for Reports, Etc. and Recommendation

Last Update: March 31, 2025

The following is a summary of the progress made on the recurrence prevention measures reported to Japan’s Personal Information Protection Commission (“PPC”) on April 26, 2024.
The items and progress details of the recurrence prevention measures are also available in the summary of the reports submitted to the PPC.

April 26, 2024 Report in Response to Recommendations and Request for Reports Received from PPC dated March 28, 2024 (Summary)pdf
June 28, 2024 Report Submitted on June 28, 2024, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
July 1, 2024 Future Policies and Plans Regarding the Outsourcing Relationship with NAVER Corporationpdf
September 30, 2024 Report Submitted on September 30, 2024, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
December 27, 2024 Report Submitted on December 27,2024, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
March 31, 2025 Report Submitted on March 31,2025, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
Administrative Guidance LY Corporation's Measures Progress of Measures Next Steps
(1) Taking corrective actions for inadequate technical safety management measures Correct network connection between NAVER Cloud's data center and our data center Block unnecessary telecommunications from NAVER and NAVER Cloud Underway
  • Completed setting up firewalls and blocked unnecessary telecommunications as of March 2024 (March 2024)
  • Reviewed and changed the settings of firewall policies accompanying the relocation of servers/data to Japan. Deleted unnecessary firewall policies. (June 2024)
  • Completed drafting plans on termination/reduction of outsourcing (June 2024)
  • Removed firewall policies deemed unnecessary during maintenance of settings conducted once every three months (completed September 2024)
  • Blocked unnecessary telecommunications from NAVER and NAVER Cloud accompanying the separation from systems managed by NAVER and NAVER Cloud and termination of consignments to these companies (end of March 2025)
 Continuously conduct maintenance of firewall policies
Cease using authentication system managed by NAVER Cloud and replace it with our own Underway
  • Switched our management systems that were directly linked to NAVER's authentication system to our own separate one (March 2024)
  • Completed operational separation (June 2024)
  • Completed separation of LY Corporation's authentication system through the system separation at the end of March 2025 (end of March 2025)
 End of March 2026 – Complete separation of authentication systems used by Japanese subsidiaries
End of March 2026*1 – Complete separation of authentication systems used by subsidiaries outside of Japan
Separate systems from NAVER and NAVER Cloud Underway
Completed system separation from NAVER and NAVER Cloud, excluding systems containing data used for accounting audits and tax reporting (end of March 2025) 		Regarding employee systems:
End of March 2026 – Systems used by Japanese subsidiaries
End of March 2026*1 – Systems used by subsidiaries outside of Japan
Take corrective actions regarding access management of highly critical information systems Apply two-factor authentication to systems used by our employees Completed
  • Completed application except for some systems in the former Yahoo Japan environment (March 2024)
  • Distributed authentication devices and implemented two-factor authentication to employees working in restricted areas where bringing in of smartphones are prohibited (End of June 2024)
  • Applied two-factor authentication to remaining systems in the former Yahoo Japan environment and completed application of two-factor authentication to all internal systems used by our employees (end of October 2024)
 -
Conduct a security diagnosis on authentication processes for critical systems and fix any vulnerabilities found Completed (March 2024) -
Rectify management of Active Directory Completed (March 2024) -
Take other corrective actions for the technical safety management measures Conduct total inspection of connection paths between outside environment and the data centers of former LINE Completed
  • After conducting a total inspection of the connection paths between the external environment and former LINE data centers, completed corrective actions based on the inspection results (inspection completed at the end of August 2024, corrective actions completed at the end of September 2024)
  • Drafted plan on outbound communication control from former LINE data centers to NAVER Cloud data centers (end of August 2024)
  • Completed application of firewall policies to outbound communications (end of October 2024)
  • Completed inspection of unnecessary telecommunications (end of December 2024)
  • Built application process for adding new firewall policies for outbound communications (end of December 2024)
  • Revised/deleted firewall policies based on the inspection results of December 2024 (February 2025)
 Continuously conduct maintenance of firewall policies
Form plans with an outside firm Completed
  • Received proposals from an outside firm (March 2024)
  • Reminder and e-learning regarding storage of passwords (End of April 2024)
  • Confirmed that measures have been implemented appropriately at NAVER Cloud’s environment (end of May 2024)
  • Disabled management share functions in the servers of our data centers (June 2024)
 -
Verify effectiveness along with fundamentally improving and strengthening cybersecurity measures/security monitoring Completed
  • Penetration test conducted by an external company and drafted corrective action plan on items identified (end of August 2024)
  • Analyzed current status and validated effectiveness with an outside organization to review mechanisms for behavior-based detection, etc. and rules for correlation analyses, etc. (end of August 2024)
  • Implemented all of the detection rules that had been planned, based on the effectiveness verification results of behavior-based detection and correlation analysis rules (February 2025)
  • Corrected items identified in the penetration tests and considered framework for correction, etc. (end of March 2025)
 Continuously review detection rules, introduce formulated frameworks, and conduct periodic monitoring of improvements
(2) Taking corrective actions for inadequate organizational safety management measures Understand the status of personal data handling and carry out assessment, review, and improvement of safety management measures Review standards for security risk assessment Completed (March 2024) -
Consider methods of supervision and formulate/implement standards to effectively manage subcontractors based on the risks involved Established internal regulations/organizations and started evaluating suppliers and project risks (July 2024) To be sequentially implemented under said structure
Create safety management/cybersecurity measures Completed (January 2024)
For subcontractors with accounts issued by LY Corporation, implemented two-factor authentication for accessing our networks		 -
Lend PCs to subcontractors for the purpose of enabling us to confirm any breaches and their extent Completed*2
  • Started loaning out PCs to subcontractors with accounts issued by LY Corporation (March 2024)
  • Completed loaning out PCs to subcontractors performing our work, blocked access from PCs not loaned from LY Corporation, and deleted accounts deemed unnecessary (lending of PCs completed at end of September 2024, access blocked and accounts deleted in October 2024)
  • Completed loaning out PCs to subcontractors other than those noted above that have access to LY Corporation’s network, blocked access from PCs not loaned from LY Corporation, and deleted unnecessary accounts (end of March 2025)
 -
Implement risk management in accordance with the relationship with NAVER Cloud Completed
  • Conducted an on-site investigation at NAVER Cloud and requested them to take corrective action (February 2024)
  • Conducted audits in accordance with consignments and confirmed that requests for corrective actions have been performed (end of April, end of June 2024)
  • Conducted employee survey for the purpose of improving security governance (July 2024)
  • Conducted employee survey regarding the LY Corporation Group Code of Conduct (November 2024)
 Continue periodic audits towards NAVER Cloud.
Continue solving issues and making improvements based on employee feedback.
Establish plans to terminate/reduce consignments to NAVER/NAVER Cloud Underway
  • Drafted plans to terminate/reduce use of technology/systems and consignments on service planning/features/development (June 2024)
  • Completed conducting risk assessment for remaining consignments (end of September 2024)
  • Terminated consignments from LY Corporation to NAVER Group companies other than NAVER and NAVER Cloud (end of March 2025)
 End of December 2025 – Target date for terminating consignments from LY Corporation to NAVER/NAVER Cloud
End of March 2026 – Target date for terminating use of technology/systems and consignments on service planning, features, and development
Make improvements for issues related to our response after 2021 administrative guidance Completed
  • Defined critical systems and the required safety management measures and completed building a mechanism for identifying/evaluating risks of critical systems (end of June 2024)
  • Completed incorporating the above into regulations (July 1, 2024)
  • Completed identifying critical systems (September 2024)
  • Confirmed compliance of critical systems with safety management measures and completed correction of non-compliant areas (confirmation completed in October 2024, correction completed at end of December 2024)
  • Formulated review implementation plans for safety management measures that meet current trends (November 2024)
 -
Improve development of a system to respond to information leakage incident Establish a system to respond to incidents of leakage, etc. (investigate the facts, determine the cause of the leakage, etc.) Completed
  • Developed an improvement plan for the initial action flow at the time of an incident, the process for determining the scope of investigation, and the development of stakeholders and their roles and responsibilities, etc., and completed an external evaluation (end of June 2024)
  • Completed responses based on the improvement plan evaluated by an external organization (October 2024)
  • Conducted periodic exercises on incident response multiple times (December 2024 to March 2025)
 Continuously conduct periodic exercises on incident response
Establish an independent operational structure for SOC (Security Operation Center) Completed
Started conducting SOC Tier 1 monitoring in Japan (October 2024)		 -
Improve establishment, etc. of an organizational structure (establish an organizational structure that ensures thorough implementation of security management measures are taken) Underway
  • Established an auditing division to monitor compliance with security rules (April 2024)
  • Established a Security Governance Committee (April 2024)
  • Established a Group CISO Board (April 2024)
 Promote continuous discussions and measures by the Security Governance Committee and Group CISO Board

*1 The original December 2026 completion date has been moved up to March 2026.
*2 There are some subcontractors with which access is not blocked, but risk mitigation measures are taken with the approval of LY Corporation’s CISO. For details, please refer to the Report Submitted on March 31, 2025 (Summary).pdf

Press Releases

Page top