Japanese confectionary manufacturer Morinaga has warned that a suspected data breach of its online store may have exposed the personal information of more than 1.6 million customers.
Potentially exposed information includes the names, addresses, telephone numbers, dates of birth, purchase histories, and, in fewer than 4,000 instances, email addresses of affected Morinaga Direct customers.
The firm fears that attackers accessed several servers managed by the vendor after exploiting vulnerabilities in its network.
‘Unauthorized access’
In the English-language version of a breach notice (PDF), Morinaga at it “cannot rule out the possibility of a leak of some personal information” of affected customers of its Morinaga Direct Store e-commerce business, after “several servers managed by the company were subjected to unauthorized access”.
The firm – which apologized to its customers, business partners, and other stakeholders – stated that the exposed information excluded credit card information.
Although there’s no evidence of any fraudulent use of potentially leaked personal information, the firm has begun directly notifying potentially affected customers about the incident.
Customers who bought products from the candy maker between May 1, 2018 and March 13, 2022 may be affected.
Investigation
The problem was identified on March 13, when staff investigating the cause of error messages on company-managed servers detected evidence of unauthorized access.
“Some segments of the company’s internal IT system were impaired as a result of the unauthorized access,” Morinaga reports.
Morinaga shut down external access to its network after discovering the breach, before hiring external experts and setting about investigating the breach.
“The initial investigation confirmed that several of the company’s servers had been subjected to unauthorized access and that access to some data had been locked,” the vendor’s official statement said, adding that one of the affected servers handled product deliveries to Morinaga Direct Store customers.
Use of the term “locked” implies that some form of ransomware might have been involved in the attack, but this remains unconfirmed. The Daily Swig contacted the Japanese manufacturer for confirmation on this point along with a request for an update on its incident response and breach investigation.
Morinaga’s investigation has thus far determined that it is “highly likely that the unauthorized access was achieved through the exploitation of vulnerabilities in [unnamed but internet-connected] network devices”.
Although there has been “some impact on the supply of certain products” following the incident, Morinaga said it does not anticipate anything more than a “minor” impact on its business performance.
The firm has nonetheless reported the incident to law enforcement and Japan’s Personal Information Protection Commission.
