Apology and Report Regarding Personal Information Protection Incident/June 2, 2025

ページコンテンツ

1 Incidents that occurred
2 Information made available
3 Status
4 Requests and responses to customers
- 4.1 New customer with other customer information displayed
- 4.2 Customers whose information has been made available to other customers
  - 4.2.1 Consideration of the risk of exploitation
  - 4.2.2 Possible attacks and countermeasures
5 Initiatives to prevent recurrence
- 5.1 Emulating multi-tenant behavior in development environments
- 5.2 Redesign of sensitive information key values
6 lastly
7 Contact for this matter

Incidents that occurred

Due to a malfunction in the system modifications implemented at 2:00 a.m. on May 30, 2025, an issue occurred in which other customer information was displayed to customers under certain conditions.

Specifically, when new member registration is completed on regional OTA sites that have implemented the Chipla standard package, customer information with the same customer ID on other sites will be viewable.

The problem affected 106 new customers and existing customers who had signed up at the time the issue occurred.

*This issue and the system malfunction have already been resolved.

Information made available

email address
Name
address
telephone number
birthday
Reservation history

*This varies depending on your registration status and usage.

*There will be no password leaks (Passwords cannot be displayed on My Page. They are stored in a database using irreversible encryption, so even system administrators cannot know about them.)

*Credit card information will not be leaked. It is not stored on the server.

Status

Date and time of occurrence: Around 2:00 AM on May 30, 2025
Resolution date and time: June 2, 2025, around 13:00
This issue is now resolved.
Affected customers
- Customers who completed membership registration during the period: 109 people
- Customers with the same ID as the above member on a certain local site: 109

Requests and responses to customers

New customer with other customer information displayed

Please discard any information that was displayed incorrectly. Also, please refrain from attempting to log in using a known email address, as this is a violation of the Unauthorized Access Prevention Act.

Customers whose information has been made available to other customers

We sincerely apologize for causing concern. We have explained the risks of misuse and how to deal with them.

Consideration of the risk of exploitation

Considering the following, we believe that there is little risk that the information that has been made available will be misused.

However, there is a possibility that it may be used in attacks described below.

The customer whose information was incorrectly displayed is one person, not an unspecified number of people.
There will be no leakage of passwords or credit card information.
It was a system malfunction and was not leaked as a result of a malicious attack.
Once you are logged out, you will not be able to view the page. ← Forced logout of all customers has been implemented.
The problem has been fixed.
Because this is a reservation site, not a product sales site or stock trading site, any damage can be detected and responded to at the time of booking.

Possible attacks and countermeasures

There is no risk that the information made available through the above will be immediately misused.

A possible attack would be a “phishing scam” where the email address you viewed is masquerading as a real reservation site, leading you to a fake site where you are asked to enter important information. The method is as follows:

Sending emails pretending to be from a booking site
The subject of the email contains words that make you anxious, such as “urgent” or “action required.”
Links in emails lead to fake websites
Fake sites prompt you to enter your passwords and card details

As a workaround, please ignore any emails sent from any other email address than the one listed in the notification.

If you are unsure, please do not click on the link in the email, but instead access the link via web search or bookmarks.

If you are unsure, please log in to your customer page (listed in the email) and change your email address.

Initiatives to prevent recurrence

Emulate multi-tenant behavior in your development environment
Change the design so that key values for highly sensitive information such as customer information and reservation information are unique across all sites.

Emulating multi-tenant behavior in development environments

This defect occurred due to a careless modification made while implementing multi-tenancy support. Since it did not reoccur in the development environment, it was released in the production environment.

The reason we didn’t reproduce it in the development environment is because it is running in single-tenant mode. We will prepare the development environment so that we can emulate a multi-tenant state.

Redesign of sensitive information key values

We will change the design so that key values for highly confidential information such as customer information and reservation information are unique across all sites. This will ensure that even in the unlikely event that an unintended state occurs, an error will not occur and other customers’ information will not be viewable.

lastly

We are very sorry for this serious incident in which your important personal information was mistakenly displayed to a third party. We sincerely apologize for
the inconvenience and concern this has caused you.

We take this incident very seriously and will endeavor to prevent a recurrence by reviewing our management system, strengthening our systems, and providing thorough education. We will continue
to work on further strengthening our information management system so that we can continue to earn your continued trust.

Contact for this matter

If you have any questions or inquiries, please contact us at the details below.

Customer Support

カテゴリー: 未分類