Cyber Incident Victim: GMO Payment Gateway
Date:
Mar 2017
Location:
Japan
Summary
GMO Payment Gateway experienced a data breach impacting client websites for the Tokyo Metropolitan Government and Japan Housing Finance Agency, caused by unauthorized access exploiting an Apache Struts 2 vulnerability. The incident compromised over 719,000 combined records, including email addresses, credit card details, security codes, personal identifiers, and sensitive payment information. The company halted affected systems, applied security patches, collaborated with impacted clients and law enforcement, and initiated an external security audit to prevent future incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 9, 2017, GMO Payment Gateway Inc. detected potential security issues following alerts related to vulnerabilities in Apache Struts 2, a framework used in its payment processing systems. The company immediately launched an investigation into possible unauthorized access and data leakage. Within approximately six hours of initiating the probe, forensic analysis confirmed traces of external unauthorized access to systems running Apache Struts 2, prompting GMO to halt all operations involving this software component. The incident impacted payment sites for two clients: the Tokyo Metropolitan Government's credit card portal for metropolitan tax payments and the Japan Housing Finance Agency's credit card site for group life insurance rider enrollments. By March 10, 2017, GMO applied permanent security patches to all affected systems and commenced a comprehensive assessment to determine the scope of compromised data.
The investigation revealed that 676,290 units of information were leaked from the Tokyo Metropolitan Government's systems, comprising 614,629 email addresses alongside 61,661 credit card numbers and expiration dates. The Japan Housing Finance Agency breach exposed 43,540 data units containing significantly more sensitive details, including full credit card numbers, expiration dates, CVV security codes, payment registration dates, physical addresses, email addresses, customer names, phone numbers, dates of birth, and payment joining dates. GMO Payment Gateway issued public apologies to affected customers and collaborated with both client organizations to implement protective measures for compromised accounts. As part of its remediation strategy, the company engaged an external information security firm to conduct a system-wide audit and strengthen infrastructure defenses. GMO also coordinated with law enforcement authorities to support criminal investigations into the unauthorized access while maintaining all patched systems under heightened monitoring protocols.