Cyber Incident Victim: JTB
Date:
Jun 2016
Location:
Japan
Summary
A major Japanese travel agency experienced a data breach through a spear phishing attack targeting an employee, who inadvertently downloaded malware via a malicious email attachment, compromising server-stored customer information. The incident potentially exposed personal data of nearly 8 million users, including names, addresses, email addresses, and passport numbers—with approximately 4,300 valid passport identifiers at risk of misuse for fraudulent travel documents or identity theft. The breach may also have affected customers using an affiliated online booking service. While no evidence of data misuse was confirmed initially, authorities launched an investigation, and the company publicly apologized for the security failure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2016, Japan's largest travel agency JTB publicly disclosed a significant cybersecurity incident potentially impacting approximately 7.93 million customers. The breach involved unauthorized access to sensitive customer information including names, addresses, and email addresses. Of particular concern was the confirmed theft of passport numbers, with JTB estimating approximately 4,300 of these passport identifiers remained valid at the time of disclosure. This subset of compromised passport data raised substantial concerns regarding potential misuse for forged travel documents or identity theft schemes. The agency acknowledged the possibility that data from customers who utilized online booking services through telecommunications provider NTT Docomo might also be included in the breach. JTB President Hiroyuki Takahashi issued a formal public apology during a press conference, expressing regret for causing concern to affected customers and stakeholders. The company stated it had found no evidence indicating the stolen information had been actively misused or sold on illicit markets as of the disclosure date.
The intrusion originated from a spear phishing campaign targeting JTB subsidiary i.JTB, where an employee opened a malicious email attachment that deployed malware on their workstation. This compromised system subsequently provided attackers access to customer data stored on corporate servers. JTB did not specify the exact timeframe of the initial infection or duration of unauthorized access prior to detection. The Japanese Metropolitan Police Department initiated an investigation into the cyberattack following the company's disclosure. While JTB confirmed the malware's role in exfiltrating customer information, technical details regarding the specific malware variant, data exfiltration methods, or infrastructure used by attackers remained undisclosed in initial reports. The incident represented one of Japan's largest personal data breaches at the time, particularly notable for compromising government-issued travel document information alongside standard personal identifiers.