Cyber Security and Privacy Protection

KDDI classifies information assets based on internal information security rules, defines how to handle information assets according to their level of importance, and applies security measures to achieve appropriate information asset management. For example, customer information should only be handled on terminals that are blocked from accessing the Internet, and only limited persons are permitted to access such information assets through strict authorization controls, etc. In addition, information assets classified as critical information are protected by strong encryption so that they cannot be viewed by third parties outside the company. KDDI implements these appropriate security measures in accordance with the importance of information assets to achieve thorough management of such assets.

KDDI provides information security training through e-learning for all employees, including executives. The content is updated annually based on the latest threat trends, including examples of cyber-attacks occurring in Japan and overseas and the methods of attacks targeting employees, to enhance the skills and awareness of employees. In addition to the above, we also provide training for new employees, training for new line managers, and other stratified training programs to prevent information security incidents, as well as a variety of other information security education programs.

KDDI has a cybersecurity policy prescribing the standards for cyber security measures that our business information system should take, and conducts reviews to see if the policy is followed.
The security policy specifies the details and interpretations of security requirements for the information systems that the KDDI Group plans, develops, and operates. These requirements include locations of physical pieces of hardware, connection to external networks, software versions, methods of authentication and access control, and how to acquire and save logs. By rigorously conducting the security review of an information system in the phase of transition from planning to development, we accomplish "security by design" that considers cyber security from the planning and design phase.
In the phase of system operation, we conduct network vulnerability scanning to identify problems in the servers and networks. Network vulnerability scanning uses a dedicated diagnostic device, in which data on vulnerabilities of various software are saved as a signature database, to identify security issues in the scanned servers and network devices.
The issues that have been found were classified into risk-based levels so that corrective actions are taken, such as applying patches and changing settings.
By taking these actions to ensure information system security in the stages of planning, development, and operation, we offer safe and secure services.

KDDI does integrated monitoring of its cyber security across Japan, based in the regional centers. If any large-scale failure occurs, the supervisory offices take holistic control to give directives to relevant internal and external entities for recovery and provide information. Within this holistic control, our specially trained security engineers conduct 24/7 monitoring for cyber-attack threats such as unauthorized access, falsification, and targeted attacks. They monitor and analyze an enormous log from a security monitoring device for any signs of attacks. Moreover, they detect any perilous incident (e.g., unauthorized access; falsification) as soon as it occurs, and promptly inform the CSIRT and relevant internal departments about it as necessary to direct them to take action.

KDDI has the KDDI Computer Security Incident Response Team (KDDICSIRT) as a body dedicated to handling cyber security incidents. The CSIRT works with KDDI Digital Security Inc., KDDI's Group company, to receive incident information, handle the incident response, provide support for the response, and explore recurrence prevention measures, among others. Being a member of the Forum of Incident Response and Security Teams (FIRST) and the Nippon CSIRT Association, the KDDI-CSIRT cooperates with CSIRTs in Japan and overseas to share information about trends and approaches.
Given that cyber-attacks have become increasingly sophisticated, we continually take measures against new threats by collecting more information about vulnerabilities and attacks, analyzing information more thoroughly, and automating and advancing courses of action to handle cyber-attacks.

Over the past few years, there has been a sharp increase in the number of phishing scams that use email or SMS to lure customers to fake websites and steal their credentials in order to commit fraud. KDDI has established the KDDI-SSIRT (Service Security Incident Readiness & response Team) as a specialized organization to deal with this kind of unauthorized use and is working to strengthen countermeasures.
In addition to sending out information to customers about phishing scams and taking conventional anti-spam measures, we are working to prevent damage due to fake websites by detecting the occurrence of fake websites and cooperating with relevant organizations.
Furthermore, we have established a system that conducts 24/7 monitoring for unauthorized login attempts to take over the accounts of authorized users, and we are working to strengthen our countermeasures.
We have also introduced a process in which experts audit new services from the viewpoint of measures against unauthorized use, and have established a checking system to prevent inadequacies in authentication and other aspects of the service.
Since phishing scams are becoming increasingly sophisticated on a daily basis, we will continuously promote proactive security enhancements for each of our services, as well as work on countermeasures against new threats.

KDDI promotes research and development to attain a faster decoding algorithm and create faster and safer next-generation public-key cryptography in order to help create a telecommunications system that is safe to use.
Public-key cryptography is a generic technology that supports safe and secure telecommunications systems including the internet. It is used for day-to-day technologies such as online shopping and IC cards. In recent years, however, the emergence of practical quantum computing has enabled fast decoding. This means that public-key cryptography immune from decoding by quantum computers will also be needed. When using symbols and codes as next-generation public-key cryptography, it is vital to identify the limit of a decodable dimension in order to determine the size of a safe dimension.
In February 2022, at a decoding contest called "Challenges for code-based problems," KDDI became the first in the world to decode the problem of the 540- and 550-dimension Syndrome Decoding.
We also improved the decoding algorithm and did optimization suitable for a parallel multithreaded environment, making a decoding process 226 times faster.