SoftBank Technology Corp.
President & CEO Shinichi Ata
>Please check here for the first report.
>Please check here for the final report.
Respect
We would like to express our gratitude for the continued success of your company. Thank you very much for your continued patronage.
Announced on July 24, 2017, “Notice and apology regarding the possibility of information leakage due to unauthorized access (first report)'', we confirmed unauthorized access to our verification server and found that information may have been leaked to a third party (hereinafter referred to as the attacker), so we will conduct a detailed investigation by a third party. We have made progress.
Within the scope of a detailed investigation by a third-party organization, It was not confirmed that files containing customer information were leaked. Therefore, we conclude that it is difficult to predict any direct impact on our customers, but we would like to ask our business partners to contact us if there is any incident in which they think there is a possibility of leakage. Thank you for your understanding.
From now on, we will move to the phase of promoting measures to prevent recurrence and strive to prevent such a situation from occurring again. We will provide you with a detailed report based on the investigation report as follows.
We sincerely apologize for the great concern and inconvenience this has caused to our business partners, business partners, shareholders, investors, and other stakeholders.
Record
1. Response history
The details of how we became aware of the fact of unauthorized access and the possibility of information leakage, and proceeded with the investigation and response are as follows.
2017/7/17 13:52 | Security monitoring team detects malware execution and communication blocking. |
---|---|
2017/7/17 14:08 | Disseminated information to CISO, information systems department, and CSIRT members. |
2017/7/17 15:45 | Started network isolation of the computer. |
2017/7/17 19:45 | Based on the malware investigation results, the server that was accessed illegally was identified. |
2017/7/17 19:50 | Shut off the server from the network. An investigation into the server has begun. |
2017/7/20 10:00 | Confirmed evidence of unauthorized access to the server. It was discovered that the attacker was able to access the file containing customer information on the server. Started arranging for a third party agency. |
2017/7/21 16:00 | An investigation by a third-party organization has begun. |
2017/7/22 13:50 | The primary investigation by a third-party organization has been completed. |
2017/7/24 16:00 | First report regarding possible information leak published. |
2017/7/26 22:00 | A detailed investigation by a third-party organization has been completed. Investigation report received. |
2017/7/27 10:00 | Began checking the investigation report of a third-party organization by related parties. |
2017/7/28 11:00 | Confirmed that leakage of files containing customer information is not permitted. |
2. Summary of the case and investigation report
Malware (virtual currency mining program) was executed on some computers within our network, and communication to the outside was blocked using multiple security measures. After the security operations team confirmed the alert that blocked communications from the malware, CSIRT members, including the CISO and information systems department, immediately began investigating and responding. During the investigation, it was discovered that the server that had been accessed illegally had a file containing customer information that was accessible to the attacker.
After becoming aware of the possibility of an information leak, our Threat Intelligence Research Office and MSS (Managed Security Services) team conducted an analysis and found no evidence of an information leak. Since the situation cannot be completely denied, we have requested a third-party organization to investigate and have made this matter public.
The detailed investigation conducted by a third-party organization is as follows. The scope of the investigation period is the period after the latest unauthorized access.
1. Data recovery | Deleted files on the server are restored using multiple methods. |
---|---|
2. Examining event logs | Investigating logon history and suspicious behavior logs, focusing on security and system event logs. |
3. Journal research | Investigate the existence of suspicious file processing in the information (journal) that regularly and automatically records the operating status of the system. |
4. External access history investigation | Investigate the existence of suspicious communications based on the external access history existing on the server. |
5. Keyword search | Search the server using keywords related to the subject, such as file names. |
In the above investigation, no evidence was found that the attacker had accessed the file containing customer information on the server. There was also no evidence that the drive itself where the file was stored was accessed.
3. Measures to prevent recurrence
From the first report to today, we reviewed the management rules for the verification environment and strengthened the network settings for external access. In the future, we will further inspect the entire information management policy and procedures that led to the possibility of information leaks, and as a measure against unauthorized access, we will thoroughly inventory and delete unnecessary accounts, strengthen passwords, and periodically change passwords. We will promptly review and systemize our audit and access control policies and ensure thorough compliance with them.
<Inquiries regarding this matter>
Dear business partners | Contact point for news organizations |
---|---|
If you have any questions or concerns, or if you have any concerns about possible leaks, please contact our sales representative. | Corporate Communication Group Email: sbt-pr@tech.softbank.co.jp |