Upon the completion of our internal investigation, Japan Airlines has reached the conclusion that the JAL Mileage Bank (JMB) information (*1) of 4,131 customers was compromised due to unauthorized access to the JAL Customer Information System that was first uncovered in September 2014. A verification committee (*2) for this incident, internally established on October 31, 2014 and made up of JAL's external directors and external audit & supervisory board members, has endorsed our internal investigation and our future actions after conducting its verification of our investigation process.
We have found no indication that JMB PINs or credit card numbers linked to JMB accounts were compromised. The JMB Mileage Program continues to remain operational and JMB members may redeem their JMB miles for awards as usual. (*3)
Data security is our top priority at JAL, and we deeply regret that our customers' information was compromised. We are committed to enhancing our information management practices, reviewing the operation of our systems, and otherwise ensuring stronger security measures in the future.
Final investigation report:
Our investigation into this incident was conducted with the assistance of external security consultant firms. In this investigation, we found no evidence indicating that additional customer information may have been compromised, other than the JMB accounts announced in previous reports. Based on our findings, we have concluded that three JAL computers were unlawfully used to transfer the personal information of 4,131 customers to an unauthorized external server.
Customers who have been personally contacted in earlier notification efforts will be informed of this final investigation report by email and by post.
Before September 19, 2014 (during which a sample of data was accessed) |
September 19 and 22, 2014 (days on which affected system showed a slow response) |
|
---|---|---|
Number of customers whose personal data was retrieved from the affected system and found on the affected computers | Previous reports: 139 customers ↓ Final report: No customer information was illegally transferred outside the JAL network. |
Previous reports: 83,224 customers ↓ Final report: The personal information of 4,131 customers was compromised. |
Data that was illegally sent to the unauthorized remote server, based on an analysis of the volume of data transferred | Previous reports: Up to 730,000 customers ↓ Final report: No customer information was illegally transferred outside the JAL network. |
Previous reports: 9,745 customers ↓ Final report: The personal information of 4,131 customers was compromised. |
■The Verification Report (Summary) prepared by the Verification Committee of Independent Executives Concerning the Theft of Customer Information can be viewed by clicking the link below.
In order to view PDF documents, you will need to install Adobe Reader on your computer.
About PDF
■For inquiries, please contact the JAL Mileage Bank Center of your region.
(*1) The following JMB information was affected:
*There is no indication that credit card numbers or JMB PINs were compromised.
(*2) Verification Committee of Independent Executives Concerning the Theft of Customer Information: Consisting of JAL's five External Directors and External Audit & Supervisory Board Members, this committee serves an important role by conducting an objective verification to ensure effective internal control and remedial actions. The verification was conducted with the participation of an outside auditing and advisory firm, which provided assistance and support throughout the process.
(*3) Please note that the Amazon Gift Certificate Award is temporarily unavailable. An announcement will be posted on the JAL website once the relaunch schedule is determined.
January 21, 2015
Japan Airlines