Go to the text of this page

Information Security

The JAL Group fell victim to a data security breach in September 2014. Hackers attacked JAL Mileage Bank systems and gained illegal access to the customer information management system. We deeply apologize the inconvenience and concern caused to customers and all those affected by this incident. In response, we are strengthening information security as a top priority issue and taking steps to prevent recurrence. These steps include creating up a “JAL Group Handbook on Protecting Personal Information,” and revising “information handling categories” to strictly distinguish between customer information and other information and thereby ensure proper management.
In addition, the Group Risk Management Council and its subordinate committee, Risk Management and Information Security Committee, are responsible for the handling of personal information and information security. The JAL Group, as a member of Transportation ISAC *1 and Aviation-ISAC *2, will continue to strengthen information security and reduce business risks.
To monitor and prevent increasingly sophisticated and complex cyberattacks the JAL Group has established cybersecurity and its measures which will be constantly upgraded up to date to cope with the most advanced cybercrimes.
The department responsible for the entire system infrastructure and business system of the JAL Group has obtained ISO27001 certification.

*1 Information Sharing and Analysis Center for public transportation and transport sector

*2 Information Sharing and Analysis Center for aviation industry

* Any unauthorized use or reproduction of this certificate is strictly prohibited.

ISO 27001 Certificate of Registration 1
ISO 27001 Certificate of Registration 2
ISO 27001 Certificate of Registration 3

JAL Group's Basic Policies on Information Security

In light of the importance of information security in an advanced information society, the JAL Group manages and protects information that the company possesses under the following Group policies.

1. Compliance with Regulations

JAL complies with laws, regulations and guidelines stipulated by administrative bodies.

2. Establishment of management system

JAL has established an internal management system and clearly specifies division of responsibilities.

3. Compliance with internal policies, regulations and guidelines

JAL has established and complies with internal policies, regulations and guidelines.

4. Implementation of safety measures

JAL carries out safety measures and takes steps to prevent inappropriate access to information or the loss, destruction, falsification and leak of information.

5. Implementation of education and awareness programs

JAL promotes education and awareness programs for employees and ensures that information is appropriately managed, while striving to improve knowledge and awareness of information management.

6. Affiliation with external vendors

When entrusting operations related to information management to other companies, JAL selects companies with strong experience and abilities. The contract mandates confidentiality and guarantees that the information will be properly managed.

7. Efforts to improve operations

JAL regularly checks to ensure that information is managed appropriately and works to improve operations on a continual basis.

8. Response in event of accident

In the unlikely event of an accident, JAL endeavors to minimize the damage, quickly releases necessary information and takes all necessary steps to prevent a reoccurrence.

9. Designation of contact

JAL will set up a contact point to which customers may direct their inquiries, complaints, and requests. JAL will respond quickly and with integrity.

10. Release of policies

JAL will disclose its policies on information security, including this policy, by posting them on its website.

Executive officers for Information Security

The JAL Group information security supreme committee is the Group Risk Management Council chaired by the representative director, President and CEO Yuji Akasaka, which manages information security risks in the JAL Group.

Under the Group Risk Management Council, the Risk Management and Information Security Committee is working to strengthen the information security of the JAL Group, which is chaired by Senior Vice President of General Affairs as the chairman and the Vice President of IT Planning as the vice chairman.

The Senior Vice President of IT Planning is the Chief Information Security Officer (CISO) responsible for implementing the necessary measures to strengthen information security according to the guideline of the Ministry of Land, Infrastructure, Transport and Tourism * 3.

*3 Safety Guidelines for Information Security in the Aviation Field

Main Initiatives

(1)Cybersecurity measures

As it is essential to gather information in advance in order to strengthen cybersecurity, we participate in Transportation ISAC Japan and Aviation-ISAC, and use the information we gain to continuously improve information security measures.
In preparation for an incident, we monitor threats such as unauthorized access and virus infection 24 hours a day, 365 days a year, in cooperation with a number of external agencies. In addition, for public servers, comprehensive verifications of vulnerabilities, including penetration testing, are conducted.

The increased remote working due to the spread of COVID-19 is expected to continue, necessitating measures to deal with emerging cyber risks. Specifically, there is a risk that cyber-attacks damage caused by remote working could affect the handling of our operational divisions, leading to flight delays and cancellations. In addition, since important information such as personal information is handled at remote working environments, we strengthened the IT security when handling such information outside the office. To prevent information leaks, we reformulated the rules for handling important information outside the company, and clarified the information available outside the company. Furthermore, JAL has started to replace current company-issued mobile terminals by new mobile terminals with higher IT security tailored to remote working.

(2)Incident response

In the event of an incident, CSIRT (Computer Security Incident Response Team) is to be organized according to the Risk Management Manual (RMM) with the organizations which are appointed in the manual to ensure prompt response to the incident and to prevent recurrence of such event. We also plan CSIRT training at least twice a year in preparation for incidents.

(3)Education and training

Information Security Training is conducted at least twice a year to all the executives and employees in order to enhance employee awareness for information security and prevent information leaks and other incidents. We also conduct targeted email training multiple times a year to prevent damage from virus email and business e-mail compromise (BEC) .

(4)Employee evaluation of information security

Information security is part of the employee performance evaluation as disciplinary actions will be taken against any violation of Information Security Regulation which all the employees must comply with.

(5)Information security risk assessment

Face-to-face inspections are conducted for JAL Group companies by the organization responsible for information security to check the status of information asset management and compliance with Information Security Regulations.
In addition, we have external experts conduct annual audits on a continuing basis and make necessary improvements based on the opinions of the auditors.

To Page top