2. Corporate Information
  3. Sustainability
  4. Cyber Security and Privacy Protection

Cyber Security and Privacy Protection

KDDI's Approach

With the increasing prevalence of smartphones and the rapid progress of technologies such as big data and AI in recent years, new services that make use of various kinds of personal information are being considered.
At the same time, however, these changes have also highlighted many issues surrounding privacy, and governments are reviewing their laws and regulations.
To ensure that it uses personal data while protecting privacy, KDDI has published its privacy policy and its handling of personal information, including types of information to collect, purpose of use and the requirement of a customer's consent, and thus completely protects such personal information based on a zero-tolerance policy. In addition, in January 2020 we set up "Privacy Portal" to provide clear explanation about KDDI's use of customers' information, ensuring the transparency while deepening customers' understanding. In addition, the Privacy Portal was renewed in October 2021, and we are continuously working to provide information and improve its content.
We also need to protect our communication infrastructure from what is called cyberterrorism that causes a failure in the system through unauthorized use of communication infrastructure. KDDI has proper defenses in place against such external attack, including 24/7 monitoring by specialists to detect any external attacks, as part of our efforts to earn trust from customers and stakeholders as a telecommunications business that provides an essential utility.
Moreover, we have established an internal body dedicated to this purpose, have a third party assess our handling of the information, have adopted a privacy impact assessment (PIA) conducted before a service is introduced, and take other actions in order to further ensure that we properly handle customer information.

Information Security Management Framework

To ensure a unified approach to the security of information assets across the group as a whole, we have established the Information Security Committee chaired by the Senior Managing Executive Officer, Director, Executive Director, Technology Sector. The committee comprises the management level, along with the general managers of sales, technology and corporate divisions.
Under this framework, we accurately grasp the status of information security management and promptly implement measures to enhance the information security throughout the group.
KDDI also acknowledges that proper information management is a key issue for our business. To ensure information security, we have established the Security Policy that specifies our basic policies on information security, covering information security management framework, the implementation of information security measures, and internal rules about information security, among others.

Information Security Management Framework

Strengthening Information Security throughout the Company

All KDDI Group companies have been ISMS 27001 [1] certified since 2009. For our group companies, the KDDI Group Information Security Standards were introduced in fiscal 2011. In fiscal 2017, we revised the standards and extended them to apply to all group companies. Augmenting the improvement in the security level of KDDI Group companies resulting from this change, we regularly audit the security level of group companies in an ongoing effort to strengthen the information security governance of the KDDI Group as a whole. Also, KDDI Digital Security Inc. was founded in February 2018, and the company's specially trained security engineers now respond to cyberattacks.

  1. [1]ISMS certification (ISO/IEC 27001: 2013) A third-party conformity assessment scheme for information security. It was established with the goal of contributing to widespread improvements in information security and encouraging companies to target levels of information security that can be trusted around the world.

ISMS Certification KDDI Acquired

Registration number Organization Initial registration
IS 95253 KDDI Corporation [2] June 7, 2005
  1. [2]Includes corporate, technology and sales and customer support divisions, as well as KDDI Kyosaikai (now KDDI Group Welfare Association), KDDI Health Insurance Union, KDDI Pension Fund, KDDI MATOMETE OFFICE CORPORATION, and Japan Telecommunication Engineering Service Co., Ltd., KDDI Challenged Corporation

Basic Principles concerning the Handling and Use of Personal Data

We have implemented internal rules for the handling of customers' personal data and use of big data in line with the Act on the Protection of Personal Information and other related laws and regulations. We obtain, manage and use such data in accordance with our terms of use for each service and privacy policy.
Data about our subscribers are vital for us. We use the data to help improve customer experience and achieve continuous development of society. We ensure responsible use of data through corporate actions in order to gain customers' understanding. These actions include providing a detailed explanation as to how the data will be used, and processing the data in such a way that the individual will not be identified.
To comply with the amended Act on the Protection of Personal Information that comes into effect in April 2022, we are taking inventory of personal data that have been internationally transferred, and taking actions to meet new regulations related to personal data.
To ensure a unified approach to the security of information assets across the group as a whole, we have established the Information Security Committee chaired by the Senior Managing Executive Officer, Director, Executive Director, Technology Sector. The committee comprises the management level, along with the general managers of sales, technology and corporate divisions.

Use of Artificial Intelligence (AI)

In order to further enhance the value of the customer experience and contribute to the sustainable development of society through the use of artificial intelligence (AI), KDDI, in cooperation with the KDDI Research, Inc., formulated the "AI R&D and Utilization Principles for KDDI Group" on August 30, 2021, as part of "KDDI Accelerate 5.0."
Through internal educational activities based on these principles, the KDDI Group will promote the research, development, and utilization of AI so that customers can use our services safely.

Efforts to Reduce Information Security Risks

Management of Information Assets According to Importance

KDDI classifies information assets based on internal information security rules, defines how to handle information assets according to their level of importance, and applies security measures to achieve appropriate information asset management. For example, customer information should only be handled on terminals that are blocked from accessing the Internet, and only limited persons are permitted to access such information assets through strict authorization controls, etc. In addition, information assets classified as critical information are protected by strong encryption so that they cannot be viewed by third parties outside the company. KDDI implements these appropriate security measures in accordance with the importance of information assets to achieve thorough management of such assets.

Information Security Training for all Employees

KDDI provides information security training through e-learning for all employees, including executives. The content is updated annually based on the latest threat trends, including examples of cyber-attacks occurring in Japan and overseas and the methods of attacks targeting employees, to enhance the skills and awareness of employees. In addition to the above, we also provide training for new employees, training for new line managers, and other stratified training programs to prevent information security incidents, as well as a variety of other information security education programs.

Information Security Management and Measures

Security Review and Vulnerability Scanning

KDDI has a cybersecurity policy prescribing the standards for cyber security measures that our business information system should take, and conducts reviews to see if the policy is followed.
The security policy specifies the details and interpretations of security requirements for the information systems that the KDDI Group plans, develops, and operates. These requirements include locations of physical pieces of hardware, connection to external networks, software versions, methods of authentication and access control, and how to acquire and save logs. By rigorously conducting the security review of an information system in the phase of transition from planning to development, we accomplish "security by design" that considers cyber security from the planning and design phase.
In the phase of system operation, we conduct network vulnerability scanning to identify problems in the servers and networks. Network vulnerability scanning uses a dedicated diagnostic device, in which data on vulnerabilities of various software are saved as a signature database, to identify security issues in the scanned servers and network devices.
The issues that have been found were classified into risk-based levels so that corrective actions are taken, such as applying patches and changing settings.
By taking these actions to ensure information system security in the stages of planning, development, and operation, we offer safe and secure services.

Process of the Security Review and Vulnerability Scanning

Security Monitoring

KDDI does integrated monitoring of its cyber security across Japan, based in the regional centers. If any large-scale failure occurs, the supervisory offices take holistic control to give directives to relevant internal and external entities for recovery and provide information. Within this holistic control, our specially trained security engineers conduct 24/7 monitoring for cyber-attack threats such as unauthorized access, falsification, and targeted attacks. They monitor and analyze an enormous log from a security monitoring device for any signs of attacks. Moreover, they detect any perilous incident (e.g., unauthorized access; falsification) as soon as it occurs, and promptly inform the CSIRT and relevant internal departments about it as necessary to direct them to take action.

Security Monitoring in the SOC (Security Operations Center)

Initiatives by the CSIRT

KDDI has the KDDI Computer Security Incident Response Team (KDDICSIRT) as a body dedicated to handling cyber security incidents. The CSIRT works with KDDI Digital Security Inc., KDDI's Group company, to receive incident information, handle the incident response, provide support for the response, and explore recurrence prevention measures, among others. Being a member of the Forum of Incident Response and Security Teams (FIRST) and the Nippon CSIRT Association, the KDDI-CSIRT cooperates with CSIRTs in Japan and overseas to share information about trends and approaches.
Given that cyber-attacks have become increasingly sophisticated, we continually take measures against new threats by collecting more information about vulnerabilities and attacks, analyzing information more thoroughly, and automating and advancing courses of action to handle cyber-attacks.

Process of Cooperation with Information Sharing Agencies and External Reporting Contact

Initiatives by the SSIRT

Over the past few years, there has been a sharp increase in the number of phishing scams that use email or SMS to lure customers to fake websites and steal their credentials in order to commit fraud. KDDI has established the KDDI-SSIRT (Service Security Incident Readiness & response Team) as a specialized organization to deal with this kind of unauthorized use and is working to strengthen countermeasures.
In addition to sending out information to customers about phishing scams and taking conventional anti-spam measures, we are working to prevent damage due to fake websites by detecting the occurrence of fake websites and cooperating with relevant organizations.
Furthermore, we have established a system that conducts 24/7 monitoring for unauthorized login attempts to take over the accounts of authorized users, and we are working to strengthen our countermeasures.
We have also introduced a process in which experts audit new services from the viewpoint of measures against unauthorized use, and have established a checking system to prevent inadequacies in authentication and other aspects of the service.
Since phishing scams are becoming increasingly sophisticated on a daily basis, we will continuously promote proactive security enhancements for each of our services, as well as work on countermeasures against new threats.

Human Resource Development

KDDI defines role models for professional human resources to help shape clear career paths.
We encourage our employees to acquire a wide range of knowledge and plumb the depths of expertise including personnel exchanges with external organizations and obtaining highly specialized certificates.

Role Models for Specialized Human Resources

Promotion of R&D Related to Information Security

World Record in a Decoding Contest

KDDI promotes research and development to attain a faster decoding algorithm and create faster and safer next-generation public-key cryptography in order to help create a telecommunications system that is safe to use.
Public-key cryptography is a generic technology that supports safe and secure telecommunications systems including the internet. It is used for day-to-day technologies such as online shopping and IC cards. In recent years, however, the emergence of practical quantum computing has enabled fast decoding. This means that public-key cryptography immune from decoding by quantum computers will also be needed. When using symbols and codes as next-generation public-key cryptography, it is vital to identify the limit of a decodable dimension in order to determine the size of a safe dimension.
In February 2022, at a decoding contest called "Challenges for code-based problems," KDDI became the first in the world to decode the problem of the 540- and 550-dimension Syndrome Decoding.
We also improved the decoding algorithm and did optimization suitable for a parallel multithreaded environment, making a decoding process 226 times faster.

Number of Serious Information Security Incidents

KDDI works to strengthen its information security across the Group, making efforts to reduce information security risks. In fiscal 2021, we had zero serious information security incidents.

FY2019 FY2020 FY2021
Suspension of telecommunications services due to cyber-attacks from outside 0 0 0
Leakage of personal data due to cyber-attacks from outside 0 0 0
Divulgation of personal data 0 0 0