1. Home
  3. Notice and Apology Regarding Possible Leakage of Consumer Information Due to Illegal Access to IPSA Official Online Shopping Website

Dec. 2, 2016

Publisher: Shiseido

Management / Financial Result

Notice and Apology Regarding Possible Leakage of Consumer Information Due to Illegal Access to IPSA Official Online Shopping Website

IPSA Company, Limited (hereinafter IPSA), a wholly-owned subsidiary of Shiseido Company, Limited (hereinafter Shiseido), whose business focus is selling cosmetics products, has found that its official online shopping website has been illegally accessed by a third party and that, due to the vulnerability of the system, the following information has been possibly compromised: credit card information of the consumers who made online payments, as well as personal information of the registered members. The affected website is operated separately from other Shiseido Group online shopping websites so the Shiseido Group corporate and all other websites are not affected by this attack.

Shiseido and IPSA both tender the deepest apologies to consumers and all others affected for the concern and inconvenience this has caused and deeply regret not being able to prevent this incident despite fully understanding the importance of safe management of the acquired personal information. The companies will continue to offer sincere support to all the consumers who are possibly involved in this incident. Meanwhile, Shiseido Group is putting priority on improving its information security system, and will reinforce its internal control and strive to restore consumers’ trust.

1. Background

On Friday November 4, 2016, IPSA received a report of possible leak of credit card information from its payment agent. IPSA immediately halted the operation of credit card settlements on the IPSA online shopping website and set up an in-house investigation team with members from related departments, while also requesting a third-party forensics expert to identify and to contain the attack. IPSA reported the issue to the Akasaka police station on Monday, November 7, and made a verbal report to the Ministry of Economy, Trade and Industry on the next day, Tuesday, November 8. By placing top priority on preventing the consumers from further inconveniences and taking prompt actions, Shiseido and IPSA have worked closely with the parties involved. Upon receiving a report from the third-party forensics expert on Friday, November 25, and after a discussion with the credit card companies and other related parties regarding appropriate actions, the companies have decided to make this announcement today.

2. Affected website

IPSA official online shopping website http://www.ipsa.co.jp/ec/
* The affected website is operated separately from other Shiseido Group online shopping websites, so neither the Shiseido Group corporate website nor other websites are affected.

3. Personal information possibly compromised

1) Credit card information
Target: Consumers who made online payments on the IPSA official online shopping website during the following period:
December 14, 2011 - November 4, 2016 (Maximum period based on the results of investigation conducted by the third-party forensics expert.)
Items: Credit card holder’s name, card number, billing address, and card expiry date
* Password and security code are not included.
Number of cases: Maximum 56,121 cases.

2) Personal information other than credit card information
Target: All consumers who registered membership on the IPSA official online shopping website.
(Including the consumers stated in (1) above.)
Items: Consumer’s name, gender, date of birth, age, occupation, telephone number, e-mail address, address, log-in password, purchase record.
Number of affected consumers: 421,313 (as of November 4, 2016)

4. Response to consumers

Today, on Friday, December 2, IPSA sent out e-mails with apology and notification to the affected consumers and posted the same on both the Shiseido Group corporate website and the IPSA official website. In addition, letters have been sent out to the affected consumers.
IPSA has already provided the related credit card companies with the information on credit cards possibly leaked, and these cards are being closely monitored for illegal transactions. Moreover, IPSA has already informed the consumers who used credit cards for payments on the IPSA official website that if any suspicious transactions were discovered on the credit card statement, they should immediately contact the credit card company stated on the back side of their credit card. Should a credit card be reissued due to this incident, IPSA will cover the reissuance fee.
IPSA has set up a hotline dedicated to this issue, operating since today.
e-Mail Hotline for IPSA customer inquiries:
・e-mail: ipsa.cs@ipsa.co.jp 

5. Further measures

Shiseido and IPSA are continuing to investigate the issue with external experts in order to identify the cause and set up stronger security measures. By the end of January 2017, the companies plan to complete the investigation and send the investigation report to the affected consumers and post the same on the corporate websites.
Shiseido Group has been performing thorough examination on the current security system and as of today, the Group has not found any similar issues in other websites. However, the Group continues to make a concerted effort for further improvement of system security across the Group and also strives to enhance its internal control, going forward.

6. Outline of IPSA

Name: IPSA Company, Limited
Capital: Wholly-owned subsidiary of Shiseido Company, Limited
Address: 7-1-16 Akasaka Minato-ku Tokyo Japan
Representative: Masayuki Miyazawa, President, Representative Director
Founded: July 30, 1986
Business: Sales of cosmetic products
Capital stock: 100 million JPY

*The content of the release is correct as of the time of release, but please note that it may in some cases differ from the latest information.