Casio Computer Co., Ltd. disclosed today that an external party gained unauthorized access to the server for the company’s education web application “ClassPad.net,” resulting in the leak of personal information of some registered customers in and outside Japan.
Casio sincerely apologizes for the inconvenience and concern this incident causes customers and everyone involved.
An external cyber-attack was carried out against a database in the development environment for “ClassPad.net,” a web application managed and operated by Casio. As a result, the personal information of some customers in and outside Japan, stored in the database, was accessed and leaked. Casio has confirmed that there is no evidence of any unauthorized intrusion into assets other than the database in the development environment.
On the evening of Wednesday, October 11, when the person in charge attempted to work in the development environment, it was discovered that a database failure had occurred, and the company assessed the situation. As the company continued to analyze the situation, it was additionally confirmed that, on the evening of Thursday, October 12, the personal information of some residents of countries other than Japan was accessed.
At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management. Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access.
4. Response Underway
Currently, all databases in the development environment targeted by the attack are inaccessible to those outside the development environment.
Casio reported the incident to Japan’s Personal Information Protection Commission and to JUAS (the “PrivacyMark” certification organization) on Monday, October 16.
Casio will continue to consult with and engage an external security specialist organization to conduct further internal investigations, analyze the root causes, and devise appropriate countermeasures in response to this incident. Casio will also engage an external law firm to consider potential legal steps, including interfacing with the authorities. In addition, Casio is also consulting with the police and will cooperate with the investigation.
5. Personal information accessed
(1) customer name; (2) customer email address; (3) country/region of residence; (4) purchasing information (order details, payment method, license code, etc.); *1 (5) service usage information (log data, nicknames, etc.)
*1 Credit card information is not retained.
6. Number of items accessed*2
Customers in Japan
91,921 items belonging to customers, including individuals and 1,108 educational institution customers
Customers outside Japan
35,049 items belonging to customers from 148 countries and regions
*2 As of October 18, 2023. If information on the number of items accessed changes, Casio will disclose updated figures.
7. Customer support
Casio will contact all customers whose personal information may have been accessed by email or other means. Casio will also respond to inquiries from customers at the contact point below.
- Contact for inquiries from customers regarding this matter:
Casio website (https://world.casio.com/information/1018-incident/)
8. Service usage
There was no unauthorized access to the "ClassPad.net" app, so it is available for use as usual.
9. Next steps
Casio will strengthen technical safety management by implementing security enhancement measures for network routes and databases. In terms of operational management, Casio will implement thorough safety management measures, including reviewing security operational rules and continuing employee training on security measures.
Once again, Casio deeply apologizes for the great inconvenience and concern this incident causes our customers and everyone involved.