Associated Incidents
Updated March 17, 2025, 4:00 PM
March 17, 2025
Kaikatsu Frontier Co., Ltd.
Notice Regarding Unauthorized Access and Possible Personal Information Leakage
(Fifth Report)
As previously announced on January 21 and January 28, 2025, regarding unauthorized access to our server from an external source and the possible leak of some of our customers' personal information, we have now completed an investigation by an external specialist agency and an internal investigation. We would like to inform you of the results of the investigation and measures to prevent recurrence.
In addition, since the incident first came to light, no leak of personal information or secondary damage resulting from the leak has been confirmed. We sincerely apologize to our customers and all other parties involved for the inconvenience and concern caused.
Note
[Response to this Incident]
In the evening of Saturday, January 18, 2025, we detected unauthorized access to our server and immediately took the necessary measures, including disconnecting the server from the network. Subsequently, while investigating the scope of the impact with the advice of an external specialist agency, we found evidence of unauthorized access to the system that manages member accounts, and discovered that some personal information may have been leaked to the outside.
After discovering this incident, we promptly established a task force and began investigating the scope of the impact and the cause, as well as consulting with the police and reporting the incident to the Personal Information Protection Commission.
The progress of our response to date is as follows:
January 20, 2025 (Monday): Establishment of a task force, commencement of restrictions on the use of member app services, and public announcement (first report) January 21, 2025 (Tuesday): Report to the Personal Information Protection Commission (first report), public announcement (second report) January 21, 2025 (Tuesday) - February 14, 2025 (Friday): Conduct of investigations by external specialist agencies and internal investigations January 28, 2025 (Tuesday): Report to the Personal Information Protection Commission (follow-up report), public announcement (third report) January 31, 2025 (Friday): Public announcement (fourth report) February 14, 2025 (Friday): Receipt of investigation results from external specialist agencies February 19, 2025 (Wednesday) - February 28, 2025 (Friday): Restrictions on member app services in sequence Reopening
- Thursday, March 13, 2025: Report to the Personal Information Protection Commission (Final Report)
- Monday, March 17, 2025: Public Announcement (Fifth Report)
[Facts Revealed by the Investigation]
-
Identification of the causes of the unauthorized access attack and the affected programs
-
Identification of the scope of information potentially leaked
[Persons and Personal Information Possibly Leaked]
Persons: Kaikatsu CLUB members (some customers who visited between October 1, 2015 and January 20, 2025)
Kaikatsu CLUB Provisional Members (some customers who became members between March 25, 2019 and January 20, 2025)
FiT24 members and FiT24 Indoor Golf members (some customers who visited between October 30, 2018 and April 1, 2023) (Part of those who have become members)
Scope of personal information: First name, Kana first name, Gender, Postal code, Address, Phone number, Date of birth, Membership number, Membership type, Membership status, Current points and expiration date, Store code, Last transaction date and time, Barcode, Push notification preference, Coupon message
Number of personal information entries: 7,290,087
*Temporary members are individuals who have not yet registered in-store.
*Personal information that may be leaked does not include identification (driver's license, etc.) submitted at the time of membership registration, credit card information, email address, or membership app password.
[Response to Affected Individuals]
We contacted affected individuals via email or mail between Wednesday, January 29, 2025 and Thursday, March 13, 2025.
Please note that for those who were not contacted via these methods, this announcement will serve as a substitute for contact.
[Measures to Prevent Recurrence]
Based on the results of the investigation into this matter, we have already implemented the following measures. \
- Repairing programs affected by unauthorized access\
- Implementing new security software and applying security patches\
- Strengthening monitoring of unauthorized website access and strengthening blocking when detected
In addition, we have confirmed that there is no evidence of unauthorized access on unaffected servers and programs, and have implemented security measures such as strengthening password policies, preventing and monitoring unauthorized external access, and implementing multi-layered defenses.
We will continue to work with external specialist organizations to further strengthen our security measures and monitoring system and strive to prevent recurrence.
End
Updated January 31, 2025, 10:00 AM
Partial Correction to the "Notice Regarding Unauthorized Access and Possible Personal Information Leak"
The notice dated January 28, 2025 contained an error in the description of the affected individuals, so we are correcting it as follows.
Please note that there are no corrections to the number of potentially leaked personal information or other information previously announced.
Note
[Potentially Leaked Persons and Personal Information]
Before Correction
Affected Persons: Kaikatsu CLUB members (some individuals who became members between October 1, 2015 and January 20, 2025)
After Correction (underlined portion)
Affected Persons: Kaikatsu CLUB members (some individuals who visited our store between October 1, 2015 and January 20, 2025)
*A store visit refers to individuals who visited our store and paid during the specified period.
*There are no corrections for Kaikatsu CLUB Provisional Members, F1T24 Members, and F1T24 Indoor Golf Members.
At this time, we have not confirmed any actual leak of personal information related to this matter, nor have we confirmed any secondary damage resulting from the leak.
We will continue to investigate and make every effort to prevent recurrence.
The End
As of 10:30 AM, January 28, 2025
To Whom It May Concern
We sincerely apologize for the concern caused to our customers and other related parties regarding the unauthorized access to our server from an external source, which we announced on January 21, 2025, and the possible leak of some of our customers' personal information.
We are currently continuing our investigation and response, and have discovered new information that requires further notification. As of this writing, we have not confirmed any actual leak of personal information related to this incident, nor any secondary damage resulting from the leak.
Note
[Potentially Leaked Individuals and Personal Information]
Affected Individuals: Kaikatsu CLUB Members (some individuals who joined between October 1, 2015 and January 20, 2025)
Kaikatsu CLUB Provisional Members (some individuals who joined between March 25, 2019 and January 20, 2025)
FiT24 Members and FiT24 Indoor Golf Members (some individuals who joined between October 30, 2018 and April 1, 2023)
Personal Information: First name, first name (kana), gender, postal code, address, telephone number, date of birth, membership number, membership type, membership status, most recent points and expiration date, store code, last transaction date and time, barcode, push notification preference, coupon message
Number of Personal Information Items: 7,290,087
*Underlined items indicate additions from the previous announcement.
*Temporary members are those who have not registered as a member in-store.
*Personal information that may be leaked does not include identification information (driver's license, etc.) submitted at the time of membership registration, credit card information, email address, or membership app password.
*For FiT24 members and FiT24 Indoor Golf members, members who joined during the affected period were automatically registered as Kaikatsu CLUB members, so only some members who joined during the affected period are affected.
*This does not include Cote d'Azur members or Cote d'Azur provisional members.
[Response to Affected Individuals]
We will continue to contact affected individuals by email, mail, etc. in due course.
[Our Response]
We reported the newly discovered information to the Personal Information Protection Commission today. In addition, if any matters requiring disclosure arise in the future, we will promptly announce them on our website.
We will continue to investigate this matter and will make every effort to prevent recurrence.
The End
As of 6:10 PM, January 21, 2025
To Whom It May Concern
We have discovered that our server was subject to unauthorized access from an external source, potentially resulting in the leakage of some of our customers' personal information. We sincerely apologize for the inconvenience and concern this has caused to our customers and other stakeholders.
The details of this incident are as follows:
Note
[Background]
In the evening of Saturday, January 18, 2025, we detected unauthorized access to our server and immediately took necessary measures, including disconnecting the server from the network. Subsequently, while investigating the scope of the impact with the advice of a third-party organization (external security expert), we found evidence of unauthorized access to the system managing member accounts, and discovered that some personal information may have been leaked.
[Personal Information Possibly Leaked]
Kaikatsu Club members and provisional members' names, gender, address, phone number, date of birth, and membership number.
*No personal information of Cote d'Azur members or provisional members has been leaked to external parties.
Please note that the personal information provided at the time of membership registration (driver's license, etc.), credit card information, and email address are not included in the potentially leaked information because they are stored on a different server from the one that was accessed. However, the total number of affected personal information data items is currently under investigation.
[Our Response]
After becoming aware of this incident, we worked with our parent company, AOKI Holdings, Inc., to take measures to prevent the impact from spreading by strengthening our methods for blocking unauthorized communications. We also established a task force, consulted with the police, and submitted necessary reports to the Personal Information Protection Commission. We will continue to investigate the cause and work to fully understand the damage.
We will provide further updates as further information becomes available.
We take this incident very seriously and will make every effort to prevent a recurrence, including improving our security system and strengthening our network monitoring system.
[Regarding Kaikatsu App Coupons]
The expiration date for the 300-point coupon distributed on January 17th will be extended from January 24th at 11:59 PM to February 28th at 11:59 PM.
End
As of 1:00 PM, January 20th, 2025
We have confirmed that Kaikatsu CLUB, the sharing space operated by our company, is currently experiencing network disruptions due to a DDoS attack. As a result, the Kaikatsu CLUB app's functionality has been limited to "Displaying Membership Cards."
We are currently investigating the attack method and taking countermeasures. We will provide an update as soon as the situation improves.
Affected: Kaikatsu CLUB app
Cause: Network congestion due to DDoS attack
We apologize for any inconvenience caused.
End