Matters Related to Personal Data Breach due to Unauthorized Access to Multilingual Online Booking System Server (English, Chinese and Korean) and Notice of Measures Taken
It has come to our attention that there has been breach of personal data due to unauthorized access to the multilingual online booking system server (English, Chinese and Korean) for the hotels operated by Fujita Kanko Inc. (our “Hotels”).
We outsource the operation of the multilingual online booking system to FASTBOOKING Japan K.K., whose parent company (FASTBOOKING (HQ: Paris, France)) manages the server that was subject to unauthorized access.
FASTBOOKING has investigated the intrusion and reports that the personal data of 14,567 customers who used the multilingual online booking system between May 1, 2017 and June 19, 2018, and the credit card information of 10,903 customers who used the multilingual online booking system in or before August 2017, were leaked.
We offer our sincerest apologies to all customers and stakeholders affected by this incident.
Please note that our Japanese online booking system uses a different system and server from that of the multilingual system and has not been affected in any way.
Although we have not received any reports of customers being affected by the misuse of their leaked personal data, we have taken measures to shut down multilingual online booking system until we confirm that it is secure, and will work to prevent incidents of this nature from recurring. The details of the incident are as described below.
- Timeline of the Incident
|June 15||The server managed by FASTBOOKING was subject to unauthorized access and unencrypted personal data (full name, nationality, zip/postal code, address, e-mail address, booking price, booking number, hotel name, check-in date, and check-out date) was leaked. (First Incident)|
|June 17||The server managed by FASTBOOKING was subject to unauthorized access and encrypted information (full name, credit card number, credit card expiration date, and account name) was leaked. (Second Incident)|
|June 21||The Department in charge of our Hotels received an e-mail (in English) from FASTBOOKING regarding the First Incident entitled “SECURITY INCIDENT.”|
|June 22||Our Sales Department received a report by phone from FASTBOOKING Japan K.K. regarding the First Incident.|
|June 23||The Department in charge of our Hotels received an e-mail (in English) from FASTBOOKING regarding the Second Incident entitled “SECURITY INCIDENT.”|
|June 25||We received a formal written and oral report from the President of FASTBOOKING Japan K.K. regarding the First and Second Incidents.|
|June 26||We reported the incident to the Personal Information Protection Commission, Japan.
We temporarily shut down our Multilingual online booking system.
|June 27||We posted a notice and apology regarding these incidents on our international website, Japanese website and on the multilingual online booking system of each Hotel.|
N.B.: Dates are in Japan Standard Time (GMT+9).
- Cause of the Incident
We have confirmed that there was unauthorized outside access to a server managed by FASTBOOKING, the parent company of one of our service providers. FASTBOOKING has been continuing its investigation of the incident with the help of a third-party organization in order to ensure stronger security in future.
- Subject to the Incident
The affected customers are those who made reservations through our multilingual online booking system (English, Chinese and Korean) for the following Hotels during the following periods.
- Support for Affected Customers
We posted a notice and apology regarding these incidents on our international website, Japanese website and on the multilingual online booking system of each Hotel. Although we have not had any reports of customer data being misused so far, we have set up a helpdesk and will continue to monitor the situation.
(2) To Customers Affected by First Incident
We will send an e-mail to affected customers explaining the incident and offering our apologies.
(3) To Customers Affected by Second Incident
FASTBOOKING reports that affected customers have already received a notice through their credit card provider detailing the possible leak of card details and suggesting that they change their passwords.
- Measures to Prevent Recurrence
(1) Resume operation after security confirmation
We have shut down the multilingual online booking system pending completion of the security diagnosis of FASTBOOKING by a third-party organization and issuance of security certification.
(2) Future Measures
We have issued a notice to FASTBOOKING Japan K.K. demanding that it improve its systems. Moreover, in recognition of the fact that we have been entrusted with customers’ important information, we will be working with an expert cybersecurity firm to perform regular security checkups in order to further improve the security of the Japanese and multilingual online booking systems for our Hotels.
For inquiries related to this matter:
Fujita Kanko Inc. Customer Service
- Matters Related to Personal Data Breach due to Unauthorized Access to Multilingual Online Booking System Server (English, Chinese and Korean) and Notice of Measures Taken