GMO Payment Gateway confirms data leakage from two client websites

Information security is key in the financial industry but problems concerning maintaining personal data safe keep emerging. GMO Payment Gateway Inc (TYO:3769), the Japanese provider of payment processing services, has sought to apologize over personal data leakage that affected the websites of two of its clients – the Tokyo Metropolitan Government and the Japan Housing Finance Agency.

The problems, which were initially detected on March 9, 2017, affected the Tokyo Metropolitan Government credit card payment site for metropolitan tax, as well as the credit card payment site for group life insurance rider of the Japan Housing Finance Agency.

In an official statement, GMO Payment Gateway apologized to customers affected and provided details on what happened.

The number of “units of information” leaked through the Tokyo Metropolitan Government website is 676,290, including 614,629 email addresses, as well as 61,661 credit card numbers and credit card expiration dates.

The number of “units” of credit card information reportedly leaked from the Japan Housing Finance Agency is 43,540, including credit card numbers, credit card expiration dates, security codes, credit card payment registration dates, addresses, email addresses, names, phone numbers, as well as dates of birth and payment joining dates.

GMO Payment explains that it started its investigation into a possible information leak on March 9, 2017, following alerts concerning the security of Apache Struts 2. It looked into the possibility of unauthorized access at the same time. About six hours after it started investigating, it found unauthorized access traces and stopped all systems running with Apache Struts 2.

On March 10, 2017, GMO Payment Gateway applied a permanent fix to all related systems and, subsequently, determined the amount of information that was possibly affected by the external unauthorized access.

Regarding future action in response to the incident, GMO Payment Gateway notes that upon consulting with the companies impacted by the leakage, it will promptly implement necessary measures to protect all of the customers affected. On top of that, considering preventive measures, GMO Payment Gateway has commenced a new system investigation that will be conducted by an information security company. GMO PG will also cooperate with the police with relation to the investigation.