Information Security
The JAL Group fell victim to a data security breach in September 2014. Hackers attacked JAL Mileage Bank systems and gained illegal access to the customer information management system. We deeply apologize the inconvenience and concern caused to customers and all those affected by this incident. In response, we are strengthening information security as a top priority issue and taking steps to prevent recurrence. These steps include creating up a “JAL Group Handbook on Protecting Personal Information,” and revising “information handling categories” to strictly distinguish between customer information and other information and thereby ensure proper management.
In addition, the Group Risk Management Council and its subordinate committee, Risk Management and Information Security Committee, are responsible for the handling of personal information and information security. The JAL Group, as a member of Transportation ISAC *1 and Aviation-ISAC *2, will continue to strengthen information security and reduce business risks.
To monitor and prevent increasingly sophisticated and complex cyberattacks the JAL Group has established cybersecurity and its measures which will be constantly upgraded up to date to cope with the most advanced cybercrimes.
The department responsible for the entire system infrastructure and business system of the JAL Group has obtained ISO27001 certification.
*1 Information Sharing and Analysis Center for public transportation and transport sector
*2 Information Sharing and Analysis Center for aviation industry
* Any unauthorized use or reproduction of this certificate is strictly prohibited.
JAL Group's Basic Policies on Information Security
In light of the importance of information security in an advanced information society, the JAL Group manages and protects information that the company possesses under the following Group policies.
1. Compliance with Regulations
JAL complies with laws, regulations and guidelines stipulated by administrative bodies.
2. Establishment of management system
JAL has established an internal management system and clearly specifies division of responsibilities.
3. Compliance with internal policies, regulations and guidelines
JAL has established and complies with internal policies, regulations and guidelines.
4. Implementation of safety measures
JAL carries out safety measures and takes steps to prevent inappropriate access to information or the loss, destruction, falsification and leak of information.
5. Implementation of education and awareness programs
JAL promotes education and awareness programs for employees and ensures that information is appropriately managed, while striving to improve knowledge and awareness of information management.
6. Affiliation with external vendors
When entrusting operations related to information management to other companies, JAL selects companies with strong experience and abilities. The contract mandates confidentiality and guarantees that the information will be properly managed.
7. Efforts to improve operations
JAL regularly checks to ensure that information is managed appropriately and works to improve operations on a continual basis.
8. Response in event of accident
In the unlikely event of an accident, JAL endeavors to minimize the damage, quickly releases necessary information and takes all necessary steps to prevent a reoccurrence.
9. Designation of contact
JAL will set up a contact point to which customers may direct their inquiries, complaints, and requests. JAL will respond quickly and with integrity.
10. Release of policies
JAL will disclose its policies on information security, including this policy, by posting them on its website.
Executive officers for Information Security
The JAL Group Risk Management Council manages and promotes information security for the entire JAL Group. The members of this council include Representative Director, President, Chief Executive Officer TOTTORI Mitsuko and AOKI Noriyuki, Executive Vice President and the Head of Digital Technology Division, and oversee information security risks for the entire JAL Group.
As Chief Information Security Officer (CISO), the Senior Vice President of Digital Technology Division is in charge of information security and promotes the necessary measures to strengthen information security in accordance with the international information security standard (ISO27001) and the guidelines*3 set forth by the Ministry of Land, Infrastructure, Transport and Tourism.
*3 Safety Guidelines for Information Security in the Aviation Field
Main Initiatives
(1)Cybersecurity measures
As it is essential to gather information in advance in order to strengthen cybersecurity, we participate in Transportation ISAC Japan and Aviation-ISAC, and use the information we gain to continuously improve information security measures.
In preparation for an incident, we monitor threats such as unauthorized access and virus infection 24 hours a day, 365 days a year, in cooperation with a number of external agencies. In addition, for public servers, comprehensive verifications of vulnerabilities, including penetration testing, are conducted.
In addition, since important information such as personal information is handled at remote working environments, we strengthened the IT security when handling such information outside the office. To prevent information leaks, we reformulated the rules for handling important information outside the company, and clarified the information available outside the company. Furthermore, based on the "Zero Trust" approach to cyber risk, we are introducing company terminals with new security measures that can be used safely outside the company, and promoting exhaustive risk assessment of cloud services, whose use is expanding.
(2)Incident response
In the event of an incident, JAL Group CSIRT (Computer Security Incident Response Team) is to be organized according to the Risk Management Manual (RMM) with the organizations which are appointed in the manual to ensure prompt response to the incident and to prevent recurrence of such event. We also plan JAL Group CSIRT training at least twice a year in preparation for incidents.
(3)Education and training
Information Security Training is conducted at least twice a year to all the executives and employees in order to enhance employee awareness for information security and prevent information leaks and other incidents. We also conduct targeted email training multiple times a year to prevent damage from virus email and business e-mail compromise (BEC) .
(4)Employee evaluation of information security
Information security is part of the employee performance evaluation as disciplinary actions will be taken against any violation of Information Security Regulation which all the employees must comply with.
(5)Information security risk assessment
Face-to-face inspections are conducted for JAL Group companies by the organization responsible for information security to check the status of information asset management and compliance with Information Security Regulations.
In addition, we have external experts conduct annual audits on a continuing basis and make necessary improvements based on the opinions of the auditors.