Corporate Obligations and ResponsibilitiesSecurity and Privacy
- Protection of User Information (Confidentiality)
- Constant Service and Data Availability (Availability and Integrity)
- Information Security System
- Development and Dissemination of Information Security Rules
- Acquisition of Information Security Management System (ISMS) Certification
- Efforts to Provide Safe and Secure Services
- Initiatives to Enhance Login Security
- Detection and measuers against illegal logins
- Awareness raising towards information security
- Enhancements to Anti-Spam Measures
- Measures on privacy
Corporate Obligations and ResponsibilitiesSecurity and Privacy
To remain capable of continuously providing safe and secure services to our users, Yahoo Japan Corporation (“Yahoo! JAPAN”) strives to achieve maximum information security throughout the company from a medium- to long-term perspective.
Protection of User Information (Confidentiality)
Yahoo! JAPAN gives top priority to the security of all users’ personal information, which requires especially high levels of confidentiality. Our activities regarding personal information entrusted to us consist of an effective combination of systematic measures minimizing the number of staff authorized to access users’ personal information and physical measures blocking staff access to securely monitored areas where users’ personal information is stored.
The personal information of each user can only be viewed, altered, or deleted directly through the system by the user in question. Except in cases where a response to a user inquiry is required, executives, employees, or any other members of Yahoo! JAPAN are not able to access personally identifiable information, such as names or addresses.
Constant Service and Data Availability (Availability and Integrity)
Providing services around the clock, we have also implemented measures to ensure that information and contents received from users is not falsified or otherwise altered. Regarding services of high importance to users and society in particular, we have implemented special measures safeguarding uninterrupted provision even under unforeseen circumstances.
Information Security System
We have a cross-functional information security system in place that allows the Chief Information Security Officer (CISO), appointed by the CEO, to focus on information security and thus control and evaluate security matters. Accordingly, authority and responsibility for the information security of Yahoo! JAPAN and its subsidiaries and affiliated companies have been transferred to the CISO.
Under the authority of the CEO, a “Security-Board” is also established to assist the CISO in the planning and promotion of security strategies and policies throughout the company.
Under the supervision of the CISO, supervisory organizations of information security are established to manage the Information Security Management System (ISMS) and conduct countermeasures against cyber-attacks under the leadership of the CISO. Moreover, security-related initiatives are periodically reported to the Top Management Committee (attended by the President and Representative Director, and Directors serving for the Audit and Supervisory Committee).
The chief of information security for each service company and group is appointed by the corporate officers of each service company/group and manages the information security of their supervision.
Subsidiaries and affiliated companies of Yahoo! JAPAN are placed under the supervision of service companies and groups, and information security is also managed and led by the chief of information security for each service company or group.
The Yahoo! JAPAN Computer Security Incident Response Team (YJ-CSIRT) centrally manages and guides responses to vulnerabilities in information security. It also supports the response measures of service companies and groups as well as the subsidiaries and affiliated companies.
Development and Dissemination of Information Security Rules
The Yahoo Japan Group has established information security rules and the rules are disseminated to and followed by the executives and employees.
These security rules divide the information handled into information classifications by legal requirements, value, importance, and other criteria. The rules also stipulate matters such as the handling of information, system construction, and specifications for information handling spaces for each information classification.
Quarterly education and self-assessment are conducted to enhance executive and employee understanding of the information security rules. Their compliance is determined through internal and third-party audits. Deviations from the rules are managed by supervisory organizations of information security as information security risks and monitored until corrective actions are complete.
Acquisition of Information Security Management System (ISMS) Certification
As a group, Yahoo! JAPAN and some subsidiaries received third party audits and acquired Information Security Management System (ISMS) certification ISO/IEC 27001:2013, the ISMS international standard, and JIS Q27001:2014 certification, the Japanese standard, for all of their businesses.
Subsidiaries holding ISMS certification comply with information security rules of Yahoo! JAPAN and maintain information security management systems identical to those of Yahoo! JAPAN.
Yahoo! JAPAN has a long history of ISMS certification. In August 2004, it acquired BS7799-2:2002, the international standard at the time, and ISMS certification standards (Ver. 2.0), the Japanese version of the international standard at the time. Since then, we have complied with revision to the international standard in order to maintain valid certification.
Efforts to Provide Safe and Secure Services
As part of our efforts to provide robust services, we address the vulnerabilities of applications by conducting such measures as vulnerability examinations through internal dedicated organizations and third-party institutions. In addition, we hold secure coding trainings for engineers in our aim to prevent application vulnerabilities. We also conduct incident response trainings against cyber-attacks (YJ-Hardening) in order to strengthen our responsiveness to such issues.
Moreover, to respond appropriately to newly emerging security threats, we are striving to remain constantly aware of technological trends by obtaining the latest information from outside sources and by becoming a member of the following organizations.
Cooperation with external dedicated organizations: We collaborate with Japan Cybercrime Control Center and other external organizations to collect information on cybercrime and take appropriate measures.
When an incident occurs, we respond through collaboration with JPCERT Coordination Center (JPCERT/CC) and other external organizations.
Initiatives to Enhance Login Security
We provide alert services to inform users by e-mail when their Yahoo! JAPAN ID has been used to login. Potentially unauthorized logins are immediately detected, and the option of temporarily locking an account should a login occur without user’s knowledge contributes to preventing the escalation of unauthorized use of IDs.
Users can check the dates and for what services their IDs were used to login in Yahoo! JAPAN website. By checking the record of the past 30 successful Yahoo! JAPAN logins, users can confirm for themselves whether or not a third party gained unauthorized access to their account.
We offer login themes on the Yahoo! JAPAN login screen. These theme images enable users to judge whether the website is legitimate or not when users login to Yahoo! JAPAN. Use of login themes increases the likelihood of users recognizing fake login screens and enables the users to avoid the dangers of phishing schemes.
One-time password is a security feature that functions as a strong protection against unauthorized use of IDs. Should a user’s password become known to a third party, users can protect themselves by adding one-time password authentication to avoid unauthorized logins.
Unlike Yahoo! JAPAN IDs or user names, a secret ID is used only at login. Because IDs often consist of information accessible to others, it may be used without authorization if IDs become known to malicious persons. In addition to a password, a secret ID known only to the user may be used to mitigate the danger of others learning that user’s ID.
Users can login to our services using SMS (short messaging services) of smartphones, etc. without setting passwords for their ID registration or by disabling the passwords.
Since logins cannot be made using passwords, this login method resolves the risks of fraudulent logins in which a third party uses a list of combinations of accounts and passwords acquired from other websites (so called list-based attacks).
Detection and measuers against illegal logins
Various verification and monitoring measures by dedicated internal departments are in place, such as analysis, cut-off, re-authentication of logins made by potentially malicious third parties.
Awareness raising towards information security
We provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from illegal use.
Enhancements to Anti-Spam Measures
We provide a number of tools that offer protective measures for Yahoo! Mail users, such as automatic filters to remove spam and rejection of spoof mails. A help page provides detailed explanations on how to set up and use such tools as part of our efforts to support users in anti-spam measures.
Measures on privacy