Corporate Obligations and ResponsibilitiesSecurity and Privacy
Corporate Obligations and ResponsibilitiesSecurity and Privacy
To remain capable of continuously providing safe and secure services to our users, Yahoo Japan Corporation (“Yahoo! JAPAN”) strives to achieve maximum information security throughout the company from a medium- to long-term perspective.
Basic Approach to Information Security
Under the initiatives of the CEO, we promote ERM across the entire Group. We have declared “protecting people’s lives and ensuring information security (confidentiality, availability, integrity)” as our utmost priorities and are incorporating this declaration into various strategies. In regard to information security, which takes precedence after the protection of human life, our policy is to protect our users from information leaks (confidentiality), to provide round-the-clock service (availability), and to securely protect the service contents from destruction or fabrication (integrity).
Information Security System
We have established a cross-functional information security system under medium- to long-term perspectives.
Efforts to Guarantee Security
Efforts to Provide Safe and Secure Services
As part of our efforts to provide robust services, we address the vulnerabilities of applications by conducting such measures as vulnerability examinations through internal dedicated organizations and third-party institutions. In addition, we hold secure coding trainings for engineers in our aim to prevent application vulnerabilities. We also conduct incident response trainings against cyber-attacks (YJ-Hardening) in order to strengthen our responsiveness to such issues.
Moreover, to respond to newly emerging security threats, we are striving to remain constantly aware of technological trends by obtaining the latest information from outside sources and by becoming a member of the following organizations.
Initiatives to Protect Users
To prepare for instances where a third party gains knowledge of a user’s Yahoo! JAPAN ID or password, we conduct countermeasures to prevent fraudulent logins and mitigate damage should such logins occur. In addition, we work to raise awareness among Japanese Internet users on managing login IDs in a secure manner. At the same time, we have preventive measures in place that anticipate a certain level of improper access.
|Awareness raising||We provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from fraudulent use.
Yahoo! Security Center(Japanese only)
|Provision of tools||
|Detection and measures against fraudulent logins||
Initiatives to Protect Data
We organize our data into multiple categories based on the level of importance and have in place measures for protecting data in each category.
Thorough Education on Information Security
We conduct online learning program every two months towards all employees (including temporary and subcontract employees) in order for them to acquire knowledge on information security necessary for work. In addition, we provide the following training programs adapted to the employees’ duties and job titles.
|Training for new hires||This online learning targets all new employees, both new graduates and mid-career hires (including temporary and subcontract employees). New hires learn general security knowledge and countermeasures as well as internal rules on information management.|
|Training for newly appointed managers||This online training helps newly appointed managers acquire necessary knowledge related to information security.|
|Training for engineers||This secure programming training targets all engineers in charge of programming.|
|Training for officers and managers||We invite experts from outside twice a year for a small-scale seminar to learn about the latest security threats and countermeasures.|
|Drills||This virtual training conducted every month targets employees engaged in services. The employees learn the measures to be taken when security incidents occur.|
Acquisition of Third-Party Certification
Acquisition of Information Security Management System (ISMS) Certification
As a group, Yahoo! JAPAN and some subsidiaries received third party audits and acquired Information Security Management System (ISMS) certification ISO/IEC 27001:2013, the ISMS international standard, and JIS Q27001:2014 certification, the Japanese standard, for all of their businesses.
Subsidiaries holding ISMS certification comply with information security rules of Yahoo! JAPAN and maintain information security management systems identical to those of Yahoo! JAPAN.
Yahoo! JAPAN has a long history of ISMS certification. In August 2004, it acquired BS7799-2:2002, the international standard at the time, and ISMS certification standards (Ver. 2.0), the Japanese version of the international standard at the time. Since then, we have complied with revisions to the international standard in order to maintain valid certification.
Acquisition of PCI DSS Accreditation
In November 2008, Yahoo! JAPAN obtained Payment Card Industry Data Security Standard (PCI DSS) accreditation, a security standard for member information, transaction information, and payment processes related to credit card payments for its Yahoo! Wallet online payment service.
The accreditation obtained is the level 1 requirement, the most stringent requirement within PCI DSS geared toward participating merchants that handle a large volume of transactions. Through this accreditation, all systems related to information management and transaction processing of Yahoo! Wallet, one of Japan’s largest online payment services, have received verification that they have an international-level security in place.
Furthermore, we have acquired licenses for issuing and acquiring business from VISA and MasterCard, and since March 2012, we have conducted the acquiring business for almost all credit-card payments in our services. Since obtaining PCI DSS accreditation for these operations in February 2012, we have continued to obtain the accreditation each year.
Initiatives to Enhance Login Security
Users can login to our services using SMS (short messaging services) of smartphones, etc. without setting passwords for their ID registration or by disabling the passwords.
Since logins cannot be made using passwords, this login method resolves the risks of fraudulent logins in which a third party uses a list of combinations of accounts and passwords acquired from other websites (so called list-based attacks).
Users can log into Yahoo! JAPAN by using fingerprint or face recognition installed on their smartphones instead of a password or a validation code sent via SMS, etc. With this authentication system, we provide a convenient and simple login method while enhancing security. The feature is currently only available on Google Chrome version 70 or above on Android 7.0 or above.
Detection and measures against illegal logins
Various verification and monitoring measures by dedicated internal departments are in place, such as analysis, cut-off, re-authentication of logins made by potentially malicious third parties.
Awareness raising towards information security
We provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from illegal use.
We provide alert services to inform users by e-mail when their Yahoo! JAPAN ID has been used to log in. Potentially unauthorized logins are immediately detected, and the option of temporarily locking an account should a login occur without user’s knowledge contributes to preventing the escalation of unauthorized use of IDs.
Users can check the dates and for what services their IDs were used to log in in Yahoo! JAPAN website. By checking the record of the past 30 successful Yahoo! JAPAN logins, users can confirm for themselves whether or not a third party gained unauthorized access to their account.
We offer login themes on the Yahoo! JAPAN login screen. These theme images enable users to judge whether the website is legitimate or not when users login to Yahoo! JAPAN. Use of login themes increases the likelihood of users recognizing fake login screens and enables the users to avoid the dangers of phishing schemes.
One-time password is a security feature that functions as a strong protection against unauthorized use of IDs. Should a user’s password become known to a third party, users can protect themselves by adding one-time password authentication to avoid unauthorized logins.
Unlike Yahoo! JAPAN IDs or user names, a secret ID is used only at login. Because IDs are often information accessible to others, it may be used without authorization if IDs become known to malicious persons. In addition to a password, a secret ID known only to the user may be used to mitigate the danger of others learning that user’s ID.
Enhancements to Anti-Spam Measures
We provide a number of tools that offer protective measures for Yahoo! Mail users, such as automatic filters to remove spam and rejection of spoof mails. A help page provides detailed explanations on how to set up and use such tools as part of our efforts to support users in anti-spam measures.
Measures on privacy