Cyber Incident Victim: Adastria Co., Ltd
Date:
Jan 2023
Location:
Japan
Summary
Unauthorized access to internal servers was detected, prompting immediate network disconnection and system shutdowns to prevent further compromise. The incident potentially exposed personal information of over one million customers, including names, addresses, phone numbers, email addresses, and internal membership identifiers from specific e-commerce transactions and store services, though payment details and login credentials remained unaffected. While no confirmed data leaks have been identified, the company established a dedicated customer support channel, notified authorities, and initiated restoration of secured systems. Investigations with external experts continue to determine the breach scope and origin, alongside preparations to resume paused online store operations following logistics system stabilization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 18, 2023, Adastria Co., Ltd. detected unauthorized external access to its internal business systems during early morning hours. The company immediately severed network connections and halted affected servers to contain the breach, including disabling logistics systems that supported its "dot ST" web store. While the e-commerce platform itself was not directly compromised, Adastria suspended dot ST operations due to the logistics disruption. A dedicated response team was established that morning, engaging external cybersecurity experts to investigate the intrusion's origin, method, and scope. By that afternoon, authorities were notified, though no data exfiltration had been confirmed at that stage. Subsequent forensic analysis revealed that personal information of 1,044,175 customers stored on the breached servers could not be definitively secured, prompting mandatory reporting to Japan's Personal Information Protection Commission. The investigation remained ongoing as of the January 24 update, with no verified instances of information misuse identified.
The potentially compromised data included names, addresses, phone numbers, email addresses, and internal membership identifiers for three customer groups: those who received or scheduled dot ST deliveries between July 2022-January 2023; users of in-store pickup or home delivery services from April 2021-January 2023; and a subset of August-September 2019 dot ST purchasers. Payment information and account credentials were unaffected, as credit card data wasn't stored on the breached systems and login IDs/passwords resided on separate infrastructure. Adastria initiated direct notifications via email and postal mail to impacted individuals while establishing a dedicated call center and online form for inquiries. Internal business systems resumed partial operations following security enhancements, with plans to reactivate dot ST after verifying logistics system integrity. The company committed to strengthening monitoring protocols and security frameworks to prevent recurrence, though no material financial impact was anticipated as of the latest disclosure.