Websites affected by GMO Payment Gateway data leakage seek to handle consequences
More than two weeks after the detection of the credit card information leakage, websites affected by the breach continue to deal with the consequences.
The full scale of the credit card information from the websites of two of the clients of GMO Payment Gateway Inc (TYO:3769), the Japanese provider of payment processing services, has yet to be estimated.
The leak, which happened more than two weeks ago, has affected the credit card payment site for metropolitan tax of the Tokyo Metropolitan Government and the credit card payment site for group life insurance rider of the Japan Housing Finance Agency.
According to preliminary estimates, the number of “units of information” leaked through the Tokyo Metropolitan Government website is 676,290, including 614,629 email addresses, along with 61,661 credit card numbers and credit card expiration dates. The number of “units” of credit card information reportedly leaked from the Japan Housing Finance Agency is 43,540, including credit card numbers, credit card expiration dates, security codes, credit card payment registration dates, addresses, email addresses, names, phone numbers, as well as dates of birth and payment joining dates.
The GMO Payment Gateway’s clients affected by the leak have been issuing regular updates to clients, accompanied by apologies. Today, the Japan Housing Finance Agency published another update on its website concerning the incident – it informs customers that they will be mailed a special guide on what to do with regards to the data breach. The customers will have to confirm any payments made, the payment procedure used, the receipt of the guide itself, etc.
In a previous update, the Japan Housing Finance Agency has asked customers to pay special attention to any unconfirmed transactions made through their credit cards, as well as to any charges. The Agency also urged caution with regards to suspicious phone calls and emails from people presenting themselves as employees of the Agency or GMO Payment Gateway and asking customers to provide credit card data.
GMO Payment began its investigation into a possible information leak on March 9, 2017, following alerts concerning the security of Apache Struts 2. It examined the possibility of unauthorized access at the same time. About six hours after the start of the investigation, it found unauthorized access traces and stopped all systems running with Apache Struts 2.
On March 14, 2017, GMO Payment Gateway announced the establishment of “Recurrence Prevention Committee”, which seeks to perform inspection of the systems affected and to plan and implement measures to prevent any future data breaches.
