_

Privacy and Security

To remain capable of continuously providing safe and secure services to our users, the Z Holdings Group strives to achieve maximum information security throughout the company from a medium- to long-term perspective.

Measures on Privacy

Z Holdings Corporation uses various data including information on our users in order to improve the convenience and enrich our users’ lives and to solve various social issues leveraging the power of the Internet. Yahoo Japan Corporation has compiled and introduced its basic view and policy on how it handles data based on the company’s privacy policy, as well as its strict management of personal information and enhancement of information security, in its “Privacy Center.”
In May 2020, Yahoo Japan Corporation newly established and appointed Data Protection Officer (DPO),* who is tasked with promoting appropriate utilization of data in the company through advice on protection of user data handled and supervision of how the data is used.
In addition, we have established an advisory board consisting of experts from diverse fields, through which independent perspectives are incorporated into discussion and assessment of whether or not the privacy measures and practices at Yahoo Japan Corporation are appropriate in the eyes of users and society.

  • *Data Protection Officer (DPO) is responsible for implementing measures to protect privacy and personal information of users; specifically, the Officer provides advice on, supervises, and evaluates matters related to data protection from an objective standpoint, independent of any business divisions or the management in the company.

Basic Approach to Information Security

The Z Holdings Group has made utmost efforts against information security threats in accordance with our information security policy of: protecting our users from information leaks (confidentiality), providing round-the-clock service (availability), and securely protecting the service contents from destruction or fabrication (integrity).

In addition to these ongoing efforts, we, with a view to detecting and countering ever-sophisticated cyberattacks, work to build information systems and provide services in compliance with the cybersecurity framework of U.S. National Institute of Standards and Technology (NIST).
The Z Holdings Group has put together these approaches in its statement of “Z Holdings Group's Cybersecurity Policy” published in June 2020.

Based on these basic approaches, we have specified rules to be followed by employees on matters such as handling of information, in our internal regulations. Violations of the rules are subject to disciplinary action. Also, for the purpose of ensuring full understanding about the personal information handled in the company, as well as recognition of rules relating to it, we require all employees to submit written pledges.

Information Security System

We have established a cross-functional information security system under medium- to long-term perspectives.

Information Security Management Structure –Z Holdings Corporation plays the central role to manage information security through the entire Group
  • ・GCISO:Group Chief Information Security Officer
  • ・CISO:Chief Information Security Officer

Yahoo! JAPAN’s Information Security Management System

  • ※Notes on Yahoo! JAPAN’s information security management system
  • ・CEO: Appoints the Chief Information Security Officer (CISO)
  • ・CISO: Instructs and evaluates measures related to the Group's information security through authority granted by the CEO
  • ・Security Strategy Team: Assists the CISO in the planning and promotion of security strategies and policies throughout the Group
  • ・Supervisory Organization of Information Security: Under the leadership of the CISO, manages information security-related initiatives to the Top Management Committee (attended by the President and Representative Director, and directors serving for the Audit and Supervisory Committee)
  • ・Chief of information security at each Supervisory Division: Appointed by the corporate officers of each Supervisory Division. The information security of subsidiaries and affiliated companies is managed and guided by the chief of information security in the Supervisory Division, which supervises the respective subsidiaries and affiliated companies.
  • ・Yahoo Japan Corp. CSIRT: CSIRT stands for Computer Security Incident Response Team. As a base for comprehensively responding to incidents related to information security, CSIRT centrally manages/ operates information, coordinates within internal divisions and among external organizations, as well as supports the activities of divisions that directly deal with incidents.

Acquisition of Third-Party Certification

Acquisition of Information Security Management System (ISMS) Certification

Z Holdings Corporation, Yahoo Japan Corporation, Z Financial Corporation and some subsidiaries received third party audits and acquired Information Security Management System (ISMS) certification ISO/IEC 27001:2013, the ISMS international standard, and JIS Q27001:2014 certification, the Japanese standard, for all of their businesses.
Yahoo Japan Corporation, Z Financial Corporation and some subsidiaries, which are incorporated in the certification of Z Holdings Corporation, comply with information security rules of Z Holdings Corporation and manage information security under the same management system.
Yahoo Japan Corporation has a long history as an ISMS certified organization. In August 2004, it acquired BS7799-2:2002, the international standard at the time, and ISMS certification standards (Ver. 2.0), the Japanese version of the international standard at the time. Since then, we have complied with revisions to the international standard in order to maintain valid certification.

Acquisition of PCI DSS Accreditation

Yahoo Japan Corporation obtained Payment Card Industry Data Security Standard (PCI DSS) accreditation, a credit card security standard relating to cardholder information, transaction information, and payment processes, for its Yahoo! JAPAN Wallet online payment service in November 2008, and for Yahoo! JAPAN Shopping and YAHUOKU! in November 2009.
The accreditation obtained is the level 1 requirement, the most stringent requirement under PCI DSS geared toward participating merchants that handle a large volume of transactions. Through this accreditation, all systems related to information management and transaction processing of Yahoo! JAPAN Wallet, Yahoo! JAPAN Shopping, and YAHUOKU! have received verification that they have an international-level security in place.
Furthermore, we have acquired licenses for issuing and acquiring business from VISA and MasterCard, international credit card brands, and since March 2012, we have conducted the acquiring business for almost all credit-card payments in our services. Since obtaining PCI DSS accreditation for these operations in February 2012, we have continued to obtain the accreditation each year.

Images of Certificate of Validation For Service Providers

Efforts to Guarantee Information Security

Efforts to Provide Safe and Secure Services

As part of its efforts to provide robust services, Yahoo Japan Corporation addresses the vulnerabilities of applications by conducting such measures as vulnerability examinations through dedicated internal organizations and third-party institutions. In addition, it holds secure programming trainings for engineers in its aim to prevent application vulnerabilities. The trainings are positioned among important trainings for both strengthening the abilities of engineers and achieving compliance with international cybersecurity standards, and have been mandated for all engineers in the company since FY2019. Yahoo Japan Corporation also conducts incident response trainings against cyberattacks (Z Holdings Cyber Training) five times a year in order to strengthen its responsiveness to such issues.

Mechanism put in place to ensure the provision of safe services. Safe and secure service operation is sustained through various training programs, including secure coding trainings for engineers and YJ-Hardening aimed at strengthening response to incidents. The services provided are continually checked through internal assessments, internal audits, third-party examinations, and third-party assessments.

Moreover, to respond to newly emerging information security threats, Yahoo Japan Cooperation strives to remain constantly aware of technological trends by obtaining the latest information from outside sources and by becoming a member of the following organizations.

System for Sharing Information with External Organizations

Nippon CSIRT Association (external website)
FIRST (external website)
Through close collaboration with CSIRT, we strive to solve social issues commonly faced by the member companies of CSIRT.
JC3: Japan Cybercrime Control Center (Japanese only) (external website)By sharing information on cybercrime, we work to identify the roots of threats in cyberspace, reduce and nullify the threats, and prevent future incidents from occurring.
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) (external website)We contribute to inter-organizational collaborations during incidents from a technical standpoint.

Initiatives to Protect Users

To prepare for instances where a third party gains knowledge of a user’s Yahoo! JAPAN ID or password, we conduct countermeasures to prevent fraudulent logins and mitigate damage should such logins occur. In addition, we work to raise awareness among Japanese Internet users on managing login IDs in a secure manner. At the same time, we have preventive measures in place that anticipate a certain level of improper access.

Awareness raisingWe provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from fraudulent use.
Yahoo! JAPAN Security Center (Japanese only)
Provision of tools・Login history and login alerts: Allow users themselves to detect any fraudulent use of their Yahoo! JAPAN ID.
・One-time password: Prevents fraudulent logins in the event a third party gains knowledge of a user’s Yahoo! JAPAN ID or password.
Detection and measures against fraudulent logins・Analysis, cut-off, and re-authentication of suspected logins by third parties with malicious intentions
・Verification and monitoring by dedicated internal departments

Initiatives to Protect Data

We organize our data into multiple categories based on the level of importance and have in place measures for protecting data in each category.

Efforts for data protection are categorized and implemented in several categories according to the importance of data. A diagram of protection efforts with systemic, physical, and human measures.

Thorough Education on Information Security

We conduct online learning program every two months towards all employees (including temporary and subcontract employees) of Yahoo Japan Corporation and some companies of the Z Holdings Group in order for them to acquire knowledge on information security necessary for work. In addition to the periodical trainings, we conduct a company-wide extraordinary online training in the event of an incident, so as to call renewed attention of all employees to security without delay. In addition, we provide the following training programs adapted to the employees’ duties and job titles.

Training for new hiresThis online learning targets all new employees, both new graduates and mid-career hires (including temporary and subcontract employees). New hires learn general information security knowledge and countermeasures as well as internal rules on information management.
Training for newly appointed managersThis online training helps newly appointed managers acquire necessary knowledge related to information security.
Training for engineersThe secure programming training targets all engineers in charge of programming.
Training for officers and managersWe invite experts from outside twice a year for a small-scale seminar to learn about the latest information security threats and countermeasures.
DrillsThis virtual training conducted every month targets employees engaged in services. The employees learn the measures to be taken when information security incidents occur.

Initiatives to Enhance Login Security

Passwordless Login

Users can login to our services using SMS (short messaging services) of smartphones, etc. without setting passwords for their ID registration or by disabling the passwords.
Since logins cannot be made using passwords, this login method resolves the risks of fraudulent logins in which a third party uses a list of combinations of accounts and passwords acquired from other websites (so called list-based attacks).
Yahoo! JAPAN also offer a passwordless login option that enables users to log into their accounts using the validation code sent to their mobile phone numbers registered to their IDs.

FIDO2

Users can log into Yahoo! JAPAN by using fingerprint or face recognition installed on their smartphones instead of a password or a validation code sent via SMS, etc. With this authentication system, we provide a convenient and simple login method while enhancing security. The feature is currently only available on Google Chrome version 70 or above, and on Android 7.0 or above.

Detection and measures against illegal logins

Various verification and monitoring measures by dedicated internal departments are in place, such as analysis, cut-off, re-authentication of logins made by potentially malicious third parties.

Awareness raising towards information security

We provide information on measures that can be implemented by the users themselves to protect their Yahoo! JAPAN IDs from illegal use.

Login Alerts

We provide alert services to inform users by e-mail when their Yahoo! JAPAN ID has been used to log in. Potentially unauthorized logins are immediately detected, and the option of temporarily locking an account should a login occur without user’s knowledge contributes to preventing the escalation of unauthorized use of IDs.

Login History

Users can check the dates and for what services their IDs were used to log in in Yahoo! JAPAN website. By checking the record of the past 30 successful Yahoo! JAPAN logins, users can confirm for themselves whether or not a third party gained unauthorized access to their account.

Login Themes

We offer login themes on the Yahoo! JAPAN login screen. These theme images enable users to judge whether the website is legitimate or not when users login to Yahoo! JAPAN. Use of login themes increases the likelihood of users recognizing fake login screens and enables the users to avoid the dangers of phishing schemes.

One-Time Password

One-time password is a security feature that functions as a strong protection against unauthorized use of IDs. Should a user’s password become known to a third party, users can protect their accounts by adding one-time password authentication to avoid unauthorized logins.

Secret ID

Unlike Yahoo! JAPAN IDs or user names, a secret ID is used only at login. Because IDs are often information accessible to others, it may be used without authorization if IDs become known to malicious persons. In addition to a password, a secret ID known only to the user may be used to mitigate the danger of others learning that user’s ID.

Suspension of Dormant IDs

IDs that have not been used for a long time are prone to abuse by others because unauthorized access to such IDs tends to go unnoticed by their owners. To prevent crimes exploiting unused IDs and protect user information, we take a measure of suspending the use of IDs, with some exceptions, that have not been used for four years or longer based on Yahoo! JAPAN Terms of Service.

Enhancements to Anti-Spam Measures

We provide a number of tools that offer protective measures for Yahoo! JAPAN Mail users, such as automatic filters to remove spam and rejection of spoof mails. A help page provides detailed explanations on how to set up and use such tools as part of our efforts to support users in anti-spam measures.