Cyber Incident Victim: Sports Club NAS

On April 2, 2021, Sports Club NAS, a subsidiary of Daiwa House Group, experienced unauthorized external access to its server, causing a system failure impacting membership management systems across nine of its facilities. The incident disrupted operations but did not immediately reveal evidence of data theft. The company delayed public disclosure until May 18, 2021, citing the time required for system recovery, forensic analysis, and personal information verification. An external research firm determined the ransomware variant involved was not designed to exfiltrate data, and no evidence emerged of customer information being posted on external leak sites as of the announcement date. The investigation remained ongoing, with the firm continuing to monitor external platforms for potential disclosures.

The compromised server contained personal data of 50,084 members, including names, addresses, dates of birth, genders, phone numbers, member numbers, email addresses, emergency contacts, and employment details (employer name, address, phone number). Among these individuals, 34,920 had credit card or bank account information exposed. Employee data for 60 individuals—limited to names and dates of birth—was also stored on the affected system. Sports Club NAS established a dedicated call center to address inquiries and gather reports of suspicious communications, though no secondary misuse of data was confirmed. The company committed to issuing further notifications if future investigations confirmed data leakage. No ransom demand was received, and operational recovery efforts prioritized system restoration while maintaining network security protocols.