Corporate Obligations and ResponsibilitiesSecurity and Privacy

To remain capable of continuously providing safe and secure services to our users, Yahoo Japan Corporation (“Yahoo! JAPAN”) strives to achieve maximum information security throughout the company from a medium- to long-term perspective.

Basic Approach to Information Security

Under the initiatives of the CEO, we promote ERM across the entire Group. We have declared “protecting people’s lives and ensuring information security (confidentiality, availability, integrity)” as our utmost priorities and are incorporating this declaration into various strategies. In regard to information security, which takes precedence after the protection of human life, our policy is to protect our users from information leaks (confidentiality), to provide round-the-clock service (availability), and to securely protect the service contents from destruction or fabrication (integrity).

Information Security System

We have established a cross-functional information security system under medium- to long-term perspectives.

Diagram of information security management system

Efforts to Guarantee Security

Efforts to Provide Safe and Secure Services

As part of our efforts to provide robust services, we address the vulnerabilities of applications by conducting such measures as vulnerability examinations through internal dedicated organizations and third-party institutions. In addition, we hold secure coding trainings for engineers in our aim to prevent application vulnerabilities. We also conduct incident response trainings against cyber-attacks (YJ-Hardening) in order to strengthen our responsiveness to such issues.

Diagram of efforts to provide safe services

Moreover, to respond to newly emerging security threats, we are striving to remain constantly aware of technological trends by obtaining the latest information from outside sources and by becoming a member of the following organizations.

System for Sharing Information with External Organizations

Nippon CSIRT Association (external website)
FIRST (external website)
To respond to new security-related threats, we work to remain constantly aware of technological trends.
JC3: Japan Cybercrime Control Center (external website) We work with the JC3 to collect information on cybercrime and enact appropriate countermeasures.
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) (external website) We collaborate with JPCERT/CC to respond to incidents when they occur.

Initiatives to Protect Users

To prepare for instances where a third party gains knowledge of a user’s Yahoo! JAPAN ID or password, we conduct countermeasures to prevent fraudulent logins and mitigate damage should such logins occur. In addition, we work to raise awareness among Japanese Internet users on managing login IDs in a secure manner. At the same time, we have preventive measures in place that anticipate a certain level of improper access.

Awareness raising We provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from fraudulent use.
Yahoo! Security Center(Japanese only)
Provision of tools
  • Login history and login alerts: Allow users themselves to detect any fraudulent use of their Yahoo! JAPAN ID.
  • One-time password: Prevents fraudulent logins in the event a third party gains knowledge of a user’s Yahoo! JAPAN ID or password.
Detection and measures against fraudulent logins
  • Analysis, cut-off, and re-authentication of suspected logins by third parties with malicious intentions
  • Verification and monitoring by dedicated internal departments

Initiatives to Protect Data

We organize our data into multiple categories based on the level of importance and have in place measures for protecting data in each category.

Efforts for data protection are categorized and implemented in several categories according to the importance of data. A diagram of protection efforts with systemic, physical, and human measures.

Thorough Education on Information Security

We conduct online learning program every two months towards all employees (including temporary and subcontract employees) in order for them to acquire knowledge on information security necessary for work. In addition, we provide the following training programs adapted to the employees’ duties and job titles.

Training for new hires This online learning targets all new employees, both new graduates and mid-career hires (including temporary and subcontract employees). New hires learn general security knowledge and countermeasures as well as internal rules on information management.
Training for newly appointed managers This online training helps newly appointed managers acquire necessary knowledge related to information security.
Training for engineers This secure programming training targets all engineers in charge of programming.
Training for officers and managers We invite experts from outside twice a year for a small-scale seminar to learn about the latest security threats and countermeasures.
Drills This virtual training conducted every month targets employees engaged in services. The employees learn the measures to be taken when security incidents occur.

Acquisition of Third-Party Certification

Acquisition of Information Security Management System (ISMS) Certification

As a group, Yahoo! JAPAN and some subsidiaries received third party audits and acquired Information Security Management System (ISMS) certification ISO/IEC 27001:2013, the ISMS international standard, and JIS Q27001:2014 certification, the Japanese standard, for all of their businesses.
Subsidiaries holding ISMS certification comply with information security rules of Yahoo! JAPAN and maintain information security management systems identical to those of Yahoo! JAPAN.
Yahoo! JAPAN has a long history of ISMS certification. In August 2004, it acquired BS7799-2:2002, the international standard at the time, and ISMS certification standards (Ver. 2.0), the Japanese version of the international standard at the time. Since then, we have complied with revisions to the international standard in order to maintain valid certification.

Acquisition of PCI DSS Accreditation

In November 2008, Yahoo! JAPAN obtained Payment Card Industry Data Security Standard (PCI DSS) accreditation, a security standard for member information, transaction information, and payment processes related to credit card payments for its Yahoo! Wallet online payment service.
The accreditation obtained is the level 1 requirement, the most stringent requirement within PCI DSS geared toward participating merchants that handle a large volume of transactions. Through this accreditation, all systems related to information management and transaction processing of Yahoo! Wallet, one of Japan’s largest online payment services, have received verification that they have an international-level security in place.

Furthermore, we have acquired licenses for issuing and acquiring business from VISA and MasterCard, and since March 2012, we have conducted the acquiring business for almost all credit-card payments in our services. Since obtaining PCI DSS accreditation for these operations in February 2012, we have continued to obtain the accreditation each year.

Images of Certificate of Validation For Service ProvidersImages of Certificate of Validation For Service Providers

Initiatives to Enhance Login Security

Passwordless Login

Users can login to our services using SMS (short messaging services) of smartphones, etc. without setting passwords for their ID registration or by disabling the passwords.
Since logins cannot be made using passwords, this login method resolves the risks of fraudulent logins in which a third party uses a list of combinations of accounts and passwords acquired from other websites (so called list-based attacks).

FIDO2

Users can log into Yahoo! JAPAN by using fingerprint or face recognition installed on their smartphones instead of a password or a validation code sent via SMS, etc. With this authentication system, we provide a convenient and simple login method while enhancing security. The feature is currently only available on Google Chrome version 70 or above on Android 7.0 or above.

Detection and measures against illegal logins

Various verification and monitoring measures by dedicated internal departments are in place, such as analysis, cut-off, re-authentication of logins made by potentially malicious third parties.

Awareness raising towards information security

We provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from illegal use.

Login Alerts

We provide alert services to inform users by e-mail when their Yahoo! JAPAN ID has been used to log in. Potentially unauthorized logins are immediately detected, and the option of temporarily locking an account should a login occur without user’s knowledge contributes to preventing the escalation of unauthorized use of IDs.

Login History

Users can check the dates and for what services their IDs were used to log in in Yahoo! JAPAN website. By checking the record of the past 30 successful Yahoo! JAPAN logins, users can confirm for themselves whether or not a third party gained unauthorized access to their account.

Login Themes

We offer login themes on the Yahoo! JAPAN login screen. These theme images enable users to judge whether the website is legitimate or not when users login to Yahoo! JAPAN. Use of login themes increases the likelihood of users recognizing fake login screens and enables the users to avoid the dangers of phishing schemes.

One-Time Password

One-time password is a security feature that functions as a strong protection against unauthorized use of IDs. Should a user’s password become known to a third party, users can protect themselves by adding one-time password authentication to avoid unauthorized logins.

Secret ID

Unlike Yahoo! JAPAN IDs or user names, a secret ID is used only at login. Because IDs are often information accessible to others, it may be used without authorization if IDs become known to malicious persons. In addition to a password, a secret ID known only to the user may be used to mitigate the danger of others learning that user’s ID.

Enhancements to Anti-Spam Measures

We provide a number of tools that offer protective measures for Yahoo! Mail users, such as automatic filters to remove spam and rejection of spoof mails. A help page provides detailed explanations on how to set up and use such tools as part of our efforts to support users in anti-spam measures.

Measures on privacy

Yahoo! JAPAN uses various data including information on our users in order to improve the convenience and enrich our users’ lives and to solve various social issues leveraging the power of the Internet. In our “privacy center”, we have compiled and introduced our basic view and policy on how we handle data based on our privacy policy as well as our strict management of personal information and enhancement of information security.