Softbank: Theft of Consumer Data for Extortion
Info 6027 Case Study
Project One
Softbank – theft of consumer data for extortion
Please read the report published by the IAPP in the journal Privacy Advisor.
Organisations do not normally volunteer any information about any sort of security breach unless they are compelled in some way. The incident described is no exception, it concerned Yahoo! BB and
Softbank BB.
Softbank of Japan offered broadband internet services across Japan through two subsidiaries – Yahoo!
BB and Softbank BB. In February 2004, the bank announced that the security of 4.5 million customer records had been compromised: data from both subsidiaries had been illegally copied and disseminated.
The leaked details included customer names, home phone numbers, addresses and email IDs, but did not include passwords, access logs or credit card details.
Softbank became aware of the problem only when they were approached by two groups of extortionists. The criminals produced apparently genuine customer data and threatened that all of the data would be posted to the internet if they were not paid a large sum of money.
Japanese police made three arrests but suspected that there may have been connections to organised crime and the political far-right. Amazingly, the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts against Softbank, both of them masterminded by employees of the company. All of the people accused of extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate procedures to protect against its unwarranted copying and dissemination.
The bank immediately announced a tightening of security, further restricting access to their systems and enforcing tighter security on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20 million, $40 million CAD at the time) were paid in compensation.
Furthermore, Softbank BB's president, Masayoshi
Project One
Softbank – theft of consumer data for extortion
Please read the report published by the IAPP in the journal Privacy Advisor.
Organisations do not normally volunteer any information about any sort of security breach unless they are compelled in some way. The incident described is no exception, it concerned Yahoo! BB and
Softbank BB.
Softbank of Japan offered broadband internet services across Japan through two subsidiaries – Yahoo!
BB and Softbank BB. In February 2004, the bank announced that the security of 4.5 million customer records had been compromised: data from both subsidiaries had been illegally copied and disseminated.
The leaked details included customer names, home phone numbers, addresses and email IDs, but did not include passwords, access logs or credit card details.
Softbank became aware of the problem only when they were approached by two groups of extortionists. The criminals produced apparently genuine customer data and threatened that all of the data would be posted to the internet if they were not paid a large sum of money.
Japanese police made three arrests but suspected that there may have been connections to organised crime and the political far-right. Amazingly, the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts against Softbank, both of them masterminded by employees of the company. All of the people accused of extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate procedures to protect against its unwarranted copying and dissemination.
The bank immediately announced a tightening of security, further restricting access to their systems and enforcing tighter security on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20 million, $40 million CAD at the time) were paid in compensation.
Furthermore, Softbank BB's president, Masayoshi