Information Security

The JAL Group fell victim to a data security breach in September 2014. Hackers attacked JAL Mileage Bank systems and gained illegal access to the customer information management system. We deeply apologize the inconvenience and concern caused to customers and all those affected by this incident. In response, we are strengthening information security as a top priority issue and taking steps to prevent recurrence. These steps include creating up a “JAL Group Handbook on Protecting Personal Information,” and revising “information handling categories” to strictly distinguish between customer information and other information and thereby ensure proper management.
In addition, the Group Risk Management Council and its subordinate committee, Information Security and Personal Information Protection Commitee, are responsible for the handling of personal information and information security. The JAL Group, as a member of Transportation ISAC *1 and Aviation-ISAC *2, will continue to strengthen information security and reduce business risks.
To monitor and prevent increasingly sophisticated and complex cyberattacks the JAL Group has established cybersecurity and its measures which will be constantly upgraded up to date to cope with the most advanced cybercrimes.
The department responsible for the entire system infrastructure and business system of the JAL Group has obtained ISO27001 certification.

*1 Information Sharing and Analysis Center for public transportation and transport sector

*2 Information Sharing and Analysis Center for aviation industry

* Any unauthorized use or reproduction of this certificate is strictly prohibited.

In order to ensure the provision of air transportation services for passengers and cargo, to name a few, the JAL Group considers the importance of information security and the protection of personal information in an advanced information and telecommunications society, as well as the increasing risk of information security affecting flight safety. The JAL Group manages and protects information that the company possesses under the following Group policies.

Information held by the JAL Group refers to all information, including financial , sales , personal, and technical know-how, regardless of the storage medium, such as electronic or paper.

• JAL complies with laws, regulations and guidelines stipulated by administrative bodies.

• JAL will appoint an administrator responsible for information security and personal information protection within the Group, establish a management system, and clarify the division of responsibilities.

• JAL has established and complies with internal policies, regulations and guidelines.

• JAL has implemented information security measures (protection of information assets).
• JAL carries out safety measures and takes steps to prevent inappropriate access to information or the loss, destruction, falsification and leak of information.
• The confidentiality, integrity, and availability of information will be protected within JAL.

• JAL clarifies the roles and responsibilities of employees to ensure information security and personal information protection.
• JAL promotes education and awareness programs for employees and ensures that information is appropriately managed, while striving to improve knowledge and awareness of information management.
• JAL fosters a culture of fair information security and ensure that information is properly managed.

• JAL has selected parties with sufficient experience and competency will be selected when outsourcing information management services to other companies or dealing with suppliers who handle information.
• The contract will stipulate confidentiality obligations and other matters necessary to maintain the JAL Group's information security and personal information protection standards and will require compliance with this policy to ensure that information is properly managed.

• JAL regularly checks to ensure that information is managed appropriately and works to improve operations on a continual basis.
• JAL has implemented initiatives to improve our operations, including continuous investment in information security systems.

• JAL monitors information security threats. In the unlikely event of an accident, JAL endeavors to minimize the damage, quickly releases necessary information and takes all necessary steps to prevent a reoccurrence.

• JAL will set up a contact point to which customers may direct their inquiries, complaints, and requests. JAL will respond quickly and with integrity.

• JAL will be reviewed at regular intervals and disclose its policies on information security and the protection of personal information, including this policy, by posting them on its website.

The JAL Group Risk Management Council manages and promotes information security for the entire JAL Group. The members of this council include Representative Director, President, Chief Executive Officer TOTTORI Mitsuko and AOKI Noriyuki, Executive Vice President and the Head of Digital Technology Division, and oversee information security risks for the entire JAL Group.

As Chief Information Security Officer (CISO), the Senior Vice President of Digital Technology Division is in charge of information security and promotes the necessary measures to strengthen information security in accordance with the international information security standard (ISO27001) and the guidelines*3 set forth by the Ministry of Land, Infrastructure, Transport and Tourism.

*3 Safety Guidelines for Information Security in the Aviation Field

As it is essential to gather information in advance in order to strengthen cybersecurity, we participate in Transportation ISAC Japan and Aviation-ISAC, and use the information we gain to continuously improve information security measures.
In preparation for an incident, we monitor threats such as unauthorized access and virus infection 24 hours a day, 365 days a year, in cooperation with a number of external agencies. In addition, for public servers, comprehensive verifications of vulnerabilities, including penetration testing, are conducted.

In addition, since important information such as personal information is handled at remote working environments, we strengthened the IT security when handling such information outside the office. To prevent information leaks, we reformulated the rules for handling important information outside the company, and clarified the information available outside the company. Furthermore, based on the "Zero Trust" approach to cyber risk, we are introducing company terminals with new security measures that can be used safely outside the company, and promoting exhaustive risk assessment of cloud services, whose use is expanding.

In the event of an incident, JAL Group CSIRT (Computer Security Incident Response Team) is to be organized according to the Risk Management Manual (RMM) with the organizations which are appointed in the manual to ensure prompt response to the incident and to prevent recurrence of such event. We also plan JAL Group CSIRT training at least twice a year in preparation for incidents.

Information Security Training is conducted at least twice a year to all the executives and employees in order to enhance employee awareness for information security and prevent information leaks and other incidents. We also conduct targeted email training multiple times a year to prevent damage from virus email and business e-mail compromise (BEC) .

Information security is part of the employee performance evaluation as disciplinary actions will be taken against any violation of Information Security Regulation which all the employees must comply with.

Face-to-face inspections are conducted for JAL Group companies by the organization responsible for information security to check the status of information asset management and compliance with Information Security Regulations.
In addition, we have external experts conduct annual audits on a continuing basis and make necessary improvements based on the opinions of the auditors.