 |
 |
 |
|
Takeshi Niinami
President and CEO |
| August 6, 2003 |
|
Report From Investigation Committee Concerning Leak of LAWSON PASS Cardholder
Information
Lawson today announced the results of an investigation concerning the leak of LAWSON
PASS cardholder information. LAWSON PASS is a credit card issued by Lawson and affiliate LAWSON CS Card,
Inc. (LCS). The investigation was conducted at Lawson by a joint committee of the three companies involved—Lawson,
LCS and a systems development outsourcing company. Lawson also announced additional internal measures designed
to protect personal information, as well as salary reductions for some members of senior management.
| 1. |
Report of the Investigation Committee
The investigation committee, which was chaired by Yasuyuki Takai, an attorney from outside Lawson,
interviewed relevant people and gathered related information and documents. The committee’s
findings were as follows: |
| |
| (1) |
It was determined that only personal information and no credit information
was leaked. |
| (2) |
It is highly likely that the information was intentionally taken
from two computers used by a systems development and operations company that was working under
contract for Lawson. |
| (3) |
Neither Lawson nor LCS employees had the password to access these
computers. |
| (4) |
Only a small number of people had access to the computers in question.
However, pinpointing the person(s) who took the information is impossible, given the limitations
of a private investigation of this type. |
| (5) |
Discussions are currently being held with the authorities about
the identification of the individuals involved and the action to be taken against them. |
|
| 2. |
Policies for the Protection of Personal Information
The Personal Information Protection Committee, chaired by President Takeshi Niinami, has decided
on the following policies for the protection of all customer information, including that held by
stores, and not just LAWSON PASS cardholder information. These policies supplement security measures
previously announced on July 15 of this year. |
| |
| (1) |
Impose tighter controls on the handling and disposal of personal
information at the store level. |
| (2) |
Draft internal regulations for personal information that include
punitive measures for breaches, and strictly enforce those regulations. |
| (3) |
Redouble efforts to educate employees on matters pertaining to the
protection of personal information. |
| (4) |
Conduct internal audits covering personal information. |
| (5) |
Prepare standards for the selection of contractors, review the terms
of contractor agreements and conduct regular inspections. |
|
| 3. |
Internal Action
Due to the concern caused to cardholders by the leak of personal information, the following members
of Lawson’s senior management team will take a reduction in salary or receive a reprimand: |
| |
| Takeshi Niinami |
President and CEO |
10% pay cut for 3 months |
| Teruo Aoki |
Senior Executive Vice President
(formerly Chief Information Officer (CIO)) |
20% pay cut for 3 months |
| Susumu Hasegawa |
Senior Vice President,
General Manager,
Information Systems Office
(Currently CIO) |
20% pay cut for 3 months |
| Shigeaki Kawahara |
Senior Vice President,
Marketing Division |
10% pay cut for 3 months |
| Leader, Information Systems Office |
Person in Charge of
Systems Development |
Reprimand |
|
| 4. |
Chronology of Events |
| |
| June 9 |
|
Inquiry from cardholder |
| June 10 |
|
Internal investigation launched |
| June 18 |
|
Inquiry from another cardholder |
| June 19 |
|
Cardholder information leak confirmed |
| June 23 |
|
Investigation committee formed and law enforcement authorities contacted |
| June 24 |
|
Personal Information Protection Committee formed |
| June 26 |
|
Press release issued on leak of cardholder information |
| July 9-12 |
|
Letter of apology sent to cardholders |
| July 15 |
|
Press release made concerning measures for securing personal information.
Key points of the press release were as follows: |
|
| <Announcement on Measures to Secure Cardholder Information> |
| |
| (1) |
A 24-hour security camera will be installed in the room where operators
enter cardholder information |
| (2) |
Finger-print verification will be used to restrict access to this
room |
| (3) |
A finger-print verification device will be installed in access
terminals |
| (4) |
The number of people with access to personal information will be
further restricted |
| (5) |
The company managing cardholder information has agreed to introduce
the same security measures |
|
Lawson wishes to again express its sincerest apologies to cardholders for the worry and
concern caused by the information leak, which led to some customers receiving unsolicited direct mail.
Lawson continues to work with law enforcement authorities and to enhance security so as to tighten the
management of important cardholder information and win back the trust and confidence of cardholders. |
|
|
|
|
|
|
|
|
