Information Security

Rakuten's Approach

While the internet has enhanced the convenience of our lives and become indispensable social infrastructure, it has also given rise to issues such as personal information leaks, fraud, and invasion of privacy. There is a widespread social demand for solutions to these issues and the establishment of a robust and secure IT society.
Rakuten Group offers a wide range of online and offline services, including e-commerce, fintech, digital content and communications. Informational assets such as personal information obtained through these services and the hardware and software that make up our information systems are essential for our business activities. Ensuring security through adequate protection and management of these assets is one of our highest management priorities. We are continually bolstering efforts to ensure information security for our stakeholders.

Please see here for more information on our efforts on information security.

Basic Policy

  1. Establishment of the information security management system
    Build an information security management system under a management-team initiative and strive to enhance and maintain information security.
  2. Appropriate management of information assets
    Recognize the importance of information assets held, evaluate risks and properly manage these assets.
  3. Establishing regulations for ensuring information security
    Establish regulations and other guidelines for ensuring information security and thoroughly extending these to all related persons.
  4. Compliance with laws and norms
    Comply with all laws and norms related to information security.
  5. Continuous improvement
    Implement audits on a regular basis and continuously improve our information security management system.

Management System

We strive to strengthen information security governance by sharing the same policy and values throughout the Group, from management to employees. The Rakuten Group Information Security & Privacy Committee, chaired by the Group CISO (Chief Information Security Officer), is held monthly to report on and make decisions regarding policy implementation and recent incidents. The major resolutions made by the committee and matters of importance are reported at the Corporate Management Meetings and communicated to the CISOs and employees in charge of information security appointed at each Group company to ensure they are implemented on the front lines.

Aligning with Global Standards

The Rakuten Group sets standards and regulations based on ISO/IEC 27001, aiming to maintain the confidentiality, integrity and availability of information assets by constructing, operating and continuously improving our Information Security Management System (ISMS), which manages various risks, such as the loss or falsification of information assets and service outages.

Also, Rakuten Ichiba became ISO/IEC27001-certified in November 2006, and we are proceeding with the certification of all Rakuten Group organizations, major domestic group companies, and overseas group companies. The following 44 Rakuten Group companies have received this certification through annual external independent audits.

ISO/IEC 27001

Rakuten Group, Inc.

ISO/IEC 27001

Rakuten Card Co., Ltd.

  • Rakuten Group, Inc.
  • LINKSHARE JAPAN K.K.
  • Target, Inc.
  • Rakuten Socio Business, Inc.
  • Rakuten Baseball, Inc.
  • Rakuten Travel Service, Inc.
  • Rakuten ANA Travel Online Co., Ltd.
  • Rakuten Communications Corp.
  • Rakuten Insight, Inc.
  • Rakuten Card Co., Ltd.
  • Keiba Mall, Inc.
  • Rakuten Ticket, Inc.
  • Rakuten Edy, Inc.
  • Rakuten Mobile, Inc.
  • Rakuten Mobile Engineering, Inc.
  • Rakuten Customer Service, Inc.
  • Rakuten SQREEM,Inc.
  • Rakuten Payment, Inc.
  • Rakuten Wallet, Inc.
  • Rakuten Vissel Kobe, Inc.
  • Rakuten Energy, Inc.
  • Rakuten Car, Inc.
  • K Dreams Co.,Ltd.
  • Hunglead, Inc.
  • Rakuten Business Support, Inc.
  • Rakuten Drone, Inc.
  • Rakuten Data Solutions, Inc.
  • Rakuten Mobile Infra Solution, Inc.
  • Rakuten STAY, Inc.
  • Rakuten Total Solutions, Inc.
  • Rakuten India Enterprise Private Limited
  • Rakuten Asia Pte. Ltd
  • Rakuten Europe S.à.r.l.
  • Rakuten France S.A.S.
  • Rakuten TV Europe, S.L.U.
  • Rakuten Travel Xchange Pte. Ltd
  • Rakuten Symphony INC.
  • Rakuten Symphony India Private Limited
  • Rakuten Mobile USA LLC
  • Rakuten Symphony Singapore Pte. Ltd.
  • Rakuten Symphony Deutschland GmbH
  • Rakuten International Commercial Bank Co., Ltd.
  • Rakuten Travel Singapore Pte. Ltd
  • Rakuten USA, Inc.

Furthermore, our activities ensure thorough compliance with PCI DSS*1, an international information security standard for businesses that handle payment cards, including credit cards. These activities have been recognized, and in early 2021, we became the only company in Asia to be elected as a member of the PCI SSC*2 Board of Advisors.

*1 Payment Card Industry Data Security Standard
*2 Payment Card Industry Security Standards Council

PCI SSC

Information Security Education

To ensure information security, it is crucial that employees wield a strong awareness of the subject.
The Rakuten Group holds Asakai meetings, our weekly morning meeting attended by all employees, focusing security and privacy. We also provide annual information security training to all executives and employees, including directors, regular employees, contract employees, temporary staff, partner staff, outsourced workers, and part-time employees. Participants not only improve their understanding of the importance of information security through case studies of actual incidents, but also pledge their adherence to internal regulations.
At the annual Global CISO Summit, in which CISOs from each Group company participate to improve Group-wide information security literacy, in addition to policy explanations from headquarters, best practices and technical expertise of each Group company are shared, subcommittees meet to discuss the important themes of the year, and lectures by external experts are held.

Strengthening Cyber Security

Cybersecurity is the practice of ensuring the safety of a virtual environment (cyberspace) composed of the internet; computer networks; information systems; and devices such as personal computers, smartphones and their users, and taking measures against threats. These threats include but are not limited to the falsification of information, computer viruses, destructive behavior, and phishing attacks (fraudulent acts via email, etc.).
The Rakuten Group has established a specialized organization dedicated to cybersecurity. A system is in place to proactively develop safe services while eliminating vulnerabilities (information security flaws) by ensuring thorough security education for developers, implementing security reviews during the software development process, and conducting inspections for vulnerabilities. Our efforts to prevent security incidents also include monitoring illegal access, and surveying and responding to information security flaws.
We are also striving to offer secure services across the entire Group by pursuing a global expansion of the Security Champion system – our framework for overseeing the development of secure services in each department – and through thorough security reviews and sharing knowledge and expertise.

Development Process

Furthermore, we have established a Groupwide CSIRT*1 to cooperate with external stakeholders such as relevant ministries, organizations specialized in cybercrime and other companies, and we are strengthening our cooperation with organizations such as the police and other administrative and investigative agencies, FIRST*2, and the Nippon CSIRT Association. We are committed not only to maintaining our own security but also improving information security for society as a whole.

*1 Computer Security Incident Response Team: An assembly that investigates and responds to reports on security incidents.
*2 Forum of Incident Response and Security Teams: A global organization that responds to incidents.

Measures against Phishing Emails

In recent years, more and more fraudulent activities have been carried out over the internet using email – a practice known as phishing. To protect our customers from such attacks, we have accelerated the implementation of Sender Domain Authentication Technologies (SPF, DKIM, DMARC) for our advertising emails, which certify that Rakuten is the sender of the emails. Through the use of such technologies, it is possible to identify malicious emails falsely associated with Rakuten and to discard them on a recipient's email server before they are delivered.

Rakuten is implementing this technology for the domains used in our 70+ services and will further deploy it to include all outgoing e-mails from Rakuten. In addition to this, we continue to work with a number of IT companies and mobile carriers to implement a system that displays the Rakuten brand symbol or official account label on messages received from Rakuten through their messaging services to officially confirm their origin.

Mockup of display (smartphone)

Please see here for more information on our efforts against phishing emails.

Specified User Information Handling Policy

In June 2023, the Japanese Telecommunications Business Act was amended to require businesses utilizing Specified User Information to create and disclose its handling policy. We established this policy with the aim of ensuring customer understanding of the purposes and protection measures related to the Specified User Information handled by Rakuten Group, Inc., in accordance with the requirements of the law.
Please refer to the Specified User Information Handling Policy from here (Japanese).

オルトの内容

Privacy

Rakuten Group strives to implement, enhance and enforce privacy requirements to enable its users to fully enjoy the Rakuten ecosystem.

>READ MORE