Information and Progress on Measures to Prevent Recurrence in Accordance with PPC’s Request for Reports, Etc. and Recommendation

Last Update: April 15, 2026

The following is a summary of the progress made on the recurrence prevention measures reported to Japan’s Personal Information Protection Commission (“PPC”) on April 26, 2024.

Administrative Guidance LY Corporation's Measures Progress of Measures Next Steps
(1) Taking corrective actions for inadequate technical safety management measures Correct network connection between NAVER Cloud's data center and our data center Block unnecessary telecommunications from NAVER and NAVER Cloud Completed
  • Completed setting up firewalls and blocked unnecessary telecommunications as of March 2024 (March 2024)
  • Reviewed and changed the settings of firewall policies accompanying the relocation of servers/data to Japan. Deleted unnecessary firewall policies. (June 2024)
  • Completed drafting plans on termination/reduction of outsourcing (June 2024)
  • Removed firewall policies deemed unnecessary during maintenance of settings conducted once every three months (completed September 2024)
  • Blocked unnecessary telecommunications from NAVER and NAVER Cloud accompanying the separation from systems managed by NAVER and NAVER Cloud and termination of consignments to these companies (end of March 2025)
  • Removed unnecessary firewall policies following the system separation (end of September 2025)
  • Completed removal of unnecessary firewall policies following the system separation as well as the blocking of unnecessary telecommunications (end of March 2026)
Cease using authentication system managed by NAVER Cloud and replace it with our own Completed
  • Switched our management systems that were directly linked to NAVER's authentication system to our own separate one (March 2024)
  • Completed operational separation (June 2024)
  • Completed separation of LY Corporation's authentication system through the system separation at the end of March 2025 (end of March 2025)
  • Completed separation of authentication systems used by our subsidiaries in and outside of Japan (end of March 2026)
Separate systems from NAVER and NAVER Cloud Underway
  • Completed system separation from NAVER and NAVER Cloud, excluding systems containing data used for accounting audits and tax reporting (end of March 2025)
  • Completed the system separation from NAVER and NAVER Cloud for the systems used by our company that handle data for accounting audits and tax reporting (June 2025)
  • Completed the system separation from NAVER and NAVER Cloud for the systems used by our subsidiaries in and outside of Japan (end of March 2026)
 June 2026 – Sequentially complete deletion of residual data that was retained for a certain period for accounting audits and temporary backup purposes after system discontinuation and separation.
Take corrective actions regarding access management of highly critical information systems Apply two-factor authentication to systems used by our employees Completed
  • Completed application except for some systems in the former Yahoo Japan environment (March 2024)
  • Distributed authentication devices and implemented two-factor authentication to employees working in restricted areas where bringing in of smartphones are prohibited (End of June 2024)
  • Applied two-factor authentication to remaining systems in the former Yahoo Japan environment and completed application of two-factor authentication to all internal systems used by our employees (end of October 2024)
Conduct a security diagnosis on authentication processes for critical systems and fix any vulnerabilities found Completed (March 2024)
Rectify management of Active Directory Completed (March 2024)
Take other corrective actions for the technical safety management measures Conduct total inspection of connection paths between outside environment and the data centers of former LINE Completed
  • After conducting a total inspection of the connection paths between the external environment and former LINE data centers, completed corrective actions based on the inspection results (inspection completed at the end of August 2024, corrective actions completed at the end of September 2024)
  • Drafted plan on outbound communication control from former LINE data centers to NAVER Cloud data centers (end of August 2024)
  • Completed application of firewall policies to outbound communications (end of October 2024)
  • Completed inspection of unnecessary telecommunications (end of December 2024)
  • Built application process for adding new firewall policies for outbound communications (end of December 2024)
  • Revised/deleted firewall policies based on the inspection results of December 2024 (February 2025)
Form plans with an outside firm Completed
  • Received proposals from an outside firm (March 2024)
  • Reminder and e-learning regarding storage of passwords (End of April 2024)
  • Confirmed that measures have been implemented appropriately at NAVER Cloud’s environment (end of May 2024)
  • Disabled management share functions in the servers of our data centers (June 2024)
Verify effectiveness along with fundamentally improving and strengthening cybersecurity measures/security monitoring Completed
  • Penetration test conducted by an external company and drafted corrective action plan on items identified (end of August 2024)
  • Analyzed current status and validated effectiveness with an outside organization to review mechanisms for behavior-based detection, etc. and rules for correlation analyses, etc. (end of August 2024)
  • Implemented all of the detection rules that had been planned, based on the effectiveness verification results of behavior-based detection and correlation analysis rules (February 2025)
  • Corrected items identified in the penetration tests and considered framework for correction, etc. (end of March 2025)
Ongoing
  • Continuous review of detection rules, introduction of formulated frameworks, and periodic monitoring of improvements
(2) Taking corrective actions for inadequate organizational safety management measures Understand the status of personal data handling and carry out assessment, review, and improvement of safety management measures Review standards for security risk assessment Completed (March 2024)
Consider methods of supervision and formulate/implement standards to effectively manage subcontractors based on the risks involved Completed
  • Established internal regulations/organizations and started evaluating suppliers and project risks (July 2024)
Ongoing
  • Management of subcontractors based on said structure
Create safety management/cybersecurity measures Completed (January 2024)
For subcontractors with accounts issued by LY Corporation, implemented two-factor authentication for accessing our networks
Lend PCs to subcontractors for the purpose of enabling us to confirm any breaches and their extent Completed*1
  • Started loaning out PCs to subcontractors with accounts issued by LY Corporation (March 2024)
  • Completed loaning out PCs to subcontractors performing our work, blocked access from PCs not loaned from LY Corporation, and deleted accounts deemed unnecessary (lending of PCs completed at end of September 2024, access blocked and accounts deleted in October 2024)
  • Completed loaning out PCs to subcontractors other than those noted above that have access to LY Corporation’s network, blocked access from PCs not loaned from LY Corporation, and deleted unnecessary accounts (end of March 2025)
Implement risk management in accordance with the relationship with NAVER Cloud Completed
  • Conducted an on-site investigation at NAVER Cloud and requested them to take corrective action (February 2024)
  • Conducted audits in accordance with consignments and confirmed that requests for corrective actions have been performed (end of April, end of June 2024)
  • Conducted employee survey for the purpose of improving security governance (July 2024)
  • Conducted employee survey regarding the LY Corporation Group Code of Conduct (November 2024)
Ongoing
  • Continuous resolution of issues and ongoing improvements based on employee feedback.
Establish plans to terminate/reduce consignments to NAVER/NAVER Cloud Completed*2
  • Drafted plans to terminate/reduce use of technology/systems and consignments on service planning/features/development (June 2024)
  • Completed conducting risk assessment for remaining consignments (end of September 2024)
  • Terminated consignments from LY Corporation to NAVER Group companies other than NAVER and NAVER Cloud (end of March 2025)
  • Terminated consignments from LY Corporation to NAVER and NAVER Cloud (end of December 2025)
  • Terminated use of NAVER's technology and systems for our company's operations (end of March 2026)
Make improvements for issues related to our response after 2021 administrative guidance Completed
  • Defined critical systems and the required safety management measures and completed building a mechanism for identifying/evaluating risks of critical systems (end of June 2024)
  • Completed incorporating the above into regulations (July 1, 2024)
  • Completed identifying critical systems (September 2024)
  • Confirmed compliance of critical systems with safety management measures and completed correction of non-compliant areas (confirmation completed in October 2024, correction completed at end of December 2024)
  • Formulated review implementation plans for safety management measures that meet current trends (November 2024)
Improve development of a system to respond to information leakage incident Establish a system to respond to incidents of leakage, etc. (investigate the facts, determine the cause of the leakage, etc.) Completed
  • Developed an improvement plan for the initial action flow at the time of an incident, the process for determining the scope of investigation, and the development of stakeholders and their roles and responsibilities, etc., and completed an external evaluation (end of June 2024)
  • Completed responses based on the improvement plan evaluated by an external organization (October 2024)
  • Conducted periodic exercises on incident response multiple times (December 2024 to March 2025)
Ongoing
  • Continuous implementation of periodic exercises on incident response
Establish an independent operational structure for SOC (Security Operation Center) Completed
Started conducting SOC Tier 1 monitoring in Japan (October 2024)
Improve establishment, etc. of an organizational structure (establish an organizational structure that ensures thorough implementation of security management measures are taken) Completed
  • Established an auditing division to monitor compliance with security rules (April 2024)
  • Established a Security Governance Committee (April 2024)
  • Established a Group CISO Board (April 2024)
Ongoing
  • Promotion of continuous discussions and measures by the Security Governance Committee and Group CISO Board

*1 There are some subcontractors with which access is not blocked, but risk mitigation measures are taken with the approval of LY Corporation’s CISO. For details, please refer to the Report Submitted on March 31, 2025 (Summary).pdf

*2The outsourcing relationship under Type 1 in the material disclosed on July 1, 2024pdf —“Outsourcing of service planning/functions/development for businesses operated by LY Corporation in Japan to NAVER and the NAVER Group”—was terminated as of the end of December 2025 (excluding those based on existing collaborations with companies that became part of the NAVER Group after entering into a business alliance with LY Corporation). Furthermore, “Use of NAVER's technology and systems for the operation of LY Corporation” (Type 2) was terminated as of the end of March 2026 (with the deletion of residual data associated with the termination scheduled to be completed by the end of June 2026). As a result of such measures taken in line with the policy to “gradually reduce and terminate the outsourcing relationship with NAVER,” LY Corporation and its subsidiaries only have the following outsourcing relationships, etc. with NAVER (all of which are classified under Type 3 and have undergone risk assessment): (i) the use of products and services available to the general public, as well as general-purpose APIs (ii) outsourcing, etc. in overseas businesses, and (iii) collaborations with LY Corporation’s affiliates who are also NAVER subsidiaries.

Past Report Summaries

An outline of the progress regarding the recurrence prevention measures reported to the PPC during the period from April 26, 2024 to March 31, 2025, is also available in the report summaries below.

April 26, 2024 Report in Response to Recommendations and Request for Reports Received from PPC dated March 28, 2024 (Summary)pdf
June 28, 2024 Report Submitted on June 28, 2024, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
July 1, 2024 Future Policies and Plans Regarding the Outsourcing Relationship with NAVER Corporationpdf
September 30, 2024 Report Submitted on September 30, 2024, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
December 27, 2024 Report Submitted on December 27, 2024, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf
March 31, 2025 Report Submitted on March 31, 2025, in Response to Request for Report and Recommendation Received from PPC dated March 28, 2024 (Summary)pdf

Press Releases

Page top