Cyber Incident Victim: Isetan Mitsukoshi Holdings Ltd.
Date:
Aug 2020
Location:
Japan
Summary
Isetan Mitsukoshi Holdings Ltd. experienced unauthorized access impacting approximately 19,000 customers through its online store and affiliated MI Card platform. The breach compromised personal information including names, addresses, phone numbers, email addresses, and birthdates from the retail portal, while the loyalty program's exposed data involved member names, anticipated billing amounts, and active membership points. Both entities confirmed the incident resulted in unauthorized data access across their respective digital platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 5, 2020, Isetan Mitsukoshi Co., Ltd. and its subsidiary MI Card Co., Ltd. publicly disclosed a data breach impacting approximately 19,000 customers. The incident stemmed from unauthorized access to two digital platforms: the Isetan Mitsukoshi Online Store and MI Card’s official homepage. Attackers compromised customer data stored on both systems, though the specific intrusion methods and timeline of unauthorized access were not detailed in the announcement. For the Mitsukoshi Online Store, exposed personal information included customers' full names, physical addresses, telephone numbers, email addresses, and dates of birth. The MI Card homepage breach involved different data categories: member names, anticipated billing amounts, and current membership reward points held by affected individuals. Neither company specified whether financial details like credit card numbers or payment credentials were accessed, nor did they confirm the exact duration of system exposure before detection.
The joint announcement served as the primary confirmed response action, with no immediate details provided about technical containment measures, law enforcement involvement, or forensic investigations. MI Card explicitly identified both platforms as intrusion points but did not disclose whether the breaches resulted from related attack vectors or separate security failures. The compromised data types carried significant privacy implications, particularly the combination of birthdates and contact information from the online store, which could facilitate identity theft or phishing campaigns. Exposure of membership points and billing amounts from MI Card’s systems created additional risks of targeted financial fraud against loyalty program participants. Neither entity reported customer financial losses or fraudulent activity at the time of disclosure. The companies did not outline specific remediation steps for affected individuals beyond the breach notification, such as credit monitoring offerings or password resets.