Cyber Incident Victim: PR TIMES

OnApril 8 and 9 2025, reconnaissance activity consistent with attacker probing was observed on the PR TIMES infrastructure, a detail later confirmed during the investigation. On April 24 the attackers gained unauthorized access to the administrator panel by exploiting an IP address that had been added during the pandemic‑era remote work transition and was not documented in the usual allow‑list, and they used a shared internal admin account that bypassed the standard BASIC and login‑password checks. The intrusion was detected on April 25 when an anomalous file appeared on the server; the security team immediately halted the file, began forensic analysis, and blocked the offending IP address. Despite the initial block, the attackers maintained a foothold through a backdoor they had installed, and from the night of April 27 into the early morning of April 28 they executed additional malicious processes that were observed and subsequently terminated on April 30 after further investigation with external security specialists. The timeline continued with a broader impact assessment conducted between April 28 and May 2, during which the company confirmed that no service disruption had occurred and that the core press‑release distribution platform remained fully operational throughout the incident. On May 2 the incident was reported to the relevant prefectural police headquarters, the Personal Information Protection Commission, and JIPDEC as a preliminary notice, and on May 7 a formal cyber‑damage complaint was filed with the police and accepted as a case for investigation, after which the affected users were notified individually.

The possible data exposure encompasses the administrator panel’s stored information, which includes up to 901 603 personal records comprising email addresses, names, corporate or media affiliations, phone and fax numbers, and hashed passwords for corporate users, media users, individual users, import‑list contacts, and internal staff; no banking or credit‑card data were stored in these sets. Additionally, press‑release items scheduled for announcement as of April 24—totaling 1 182 companies and 1 682 releases—and the media‑list contacts amounting to 20 514 entries were within the viewed scope. At no point has unauthorized use of the leaked data been confirmed, and the company emphasized that the breach did not affect the availability or integrity of the PR TIMES service. In response, the organization tightened access controls by restricting administrator‑panel connections to internal networks and approved VPNs only, removed the extraneous IP addresses from the allow‑list, enforced a password reset for all affected accounts, disabled the identified backdoor, and implemented configuration changes to prevent execution of unauthorized files in the compromised directory. They also initiated a review of the existing web‑application firewall and announced plans to migrate to a newly designed administrator interface by the end of 2025 that will eliminate shared admin accounts. Throughout the handling, the company maintained ongoing cooperation with law‑enforcement and regulatory bodies, continued internal monitoring, and committed to further updates should additional facts emerge.