While the internet has enhanced the convenience of our lives and become indispensable social infrastructure, it has also given rise to issues such as
personal information leaks, fraud, and invasion of privacy. There is a widespread social demand for solutions to these issues and the establishment of a
robust and secure IT society.
Rakuten Group offers a wide range of online and offline services, including e-commerce, fintech, digital content and communications. Informational assets such as personal information obtained through these services and the hardware and software that make up our information systems are essential for our business activities. Ensuring security through adequate protection and management of these assets is one of our highest management priorities. We are continually bolstering efforts to ensure information security for our stakeholders.
Please see here for more information on our efforts on information security.
Establishment of the information security management system
Build an information security management system under a management-team initiative and strive to enhance and maintain information security.
Appropriate management of information assets
Recognize the importance of information assets held, evaluate risks and properly manage these assets.
Establishing regulations for ensuring information security
Establish regulations and other guidelines for ensuring information security and thoroughly extending these to all related persons.
- Compliance with laws and norms
Comply with all laws and norms related to information security.
Implement audits on a regular basis and continuously improve our information security management system.
We strive to strengthen information security governance by sharing the same policy and values throughout the Group, from management to employees. The Rakuten Group Information Security & Privacy Committee, chaired by the Group CISO (Chief Information Security Officer), is held monthly to report on and make decisions regarding policy implementation and recent incidents. The major resolutions made by the committee and matters of importance are reported at the Corporate Management Meetings and communicated to the CISOs and employees in charge of information security appointed at each Group company to ensure they are implemented on the front lines.
Aligning with Global Standards
The Rakuten Group sets standards and regulations based on ISO/IEC 27001, aiming to maintain the confidentiality, integrity and availability of information assets by constructing, operating and continuously improving our Information Security Management System (ISMS), which manages various risks, such as the loss or falsification of information assets and service outages.
Rakuten Ichiba became ISO/IEC27001-certified in November 2006. Most recently, in 2021, our India-based affiliate subsidiary Rakuten India Enterprise Private Limited achieved the same certification, and we are striving to have all of our major global companies certified. The following 27 Rakuten Group companies have received this certification through annual external independent audits.
- Rakuten Group, Inc.
- Rakuten Energy, Inc.
- Rakuten Edy, Inc.
- Target, Inc.
- K Dreams Co.,Ltd.
- Rakuten Mobile Engineering, Inc.
- Rakuten Baseball, Inc.
- Rakuten Europe S.à.r.l.
- Rakuten SQREEM,Inc.
- Rakuten ANA Travel Online Co., Ltd.
- Rakuten Travel Xchange Pte Ltd
- Rakuten Wallet, Inc.
- Rakuten Vissel Kobe, Inc.
- Keiba Mall, Inc.
- Rakuten Ticket, Inc.
- LINKSHARE JAPAN K.K.
- Rakuten Car, Inc.
- Rakuten Mobile, Inc.
- Rakuten Socio Business, Inc.
- Rakuten India Enterprise Private Limited
- Rakuten Mobile Customer Service, Inc.
- Rakuten Travel Service, Inc.
- Rakuten Asia Pte Ltd
- Rakuten Payment, Inc.
- Rakuten Communications Corp.
- Rakuten Insight, Inc.
- Rakuten Card Co., Ltd.
Furthermore, our activities ensure thorough compliance with PCI DSS*1, an international information security standard for businesses that handle payment cards, including credit cards. These activities have been recognized, and in early 2021, we became the only company in Asia to be elected as a member of the PCI SSC*2 Board of Advisors.
*1 Payment Card Industry Data Security Standard
*2 Payment Card Industry Security Standards Council
Information Security Education
To ensure information security, it is crucial that employees wield a strong awareness of the subject.
The Rakuten Group holds Asakai meetings, our weekly morning meeting attended by all employees, focusing security and privacy. We also provide annual information security training to all executives and employees, including directors, regular employees, contract employees, temporary staff, partner staff, outsourced workers, and part-time employees. Participants not only improve their understanding of the importance of information security through case studies of actual incidents, but also pledge their adherence to internal regulations.
At the annual Global CISO Conference, in which CISOs from each Group company participate to improve Group-wide information security literacy, in addition to policy explanations from headquarters, best practices and technical expertise of each Group company are shared, subcommittees meet to discuss the important themes of the year, and lectures by external experts are held.
Strengthening Cyber Security
Cybersecurity is the practice of ensuring the safety of a virtual environment (cyberspace) composed of the internet; computer networks; information systems; and
devices such as personal computers, smartphones and their users, and taking measures against threats. These threats include but are not limited to the
falsification of information, computer viruses, destructive behavior, and phishing attacks (fraudulent acts via email, etc.).
The Rakuten Group has established a specialized organization dedicated to cybersecurity. A system is in place to proactively develop safe services while eliminating vulnerabilities (information security flaws) by ensuring thorough security education for developers, implementing security reviews during the software development process, and conducting inspections for vulnerabilities. Our efforts to prevent security incidents also include monitoring illegal access, and surveying and responding to information security flaws.
We are also striving to offer secure services across the entire Group by pursuing a global expansion of the Security Champion system – our framework for overseeing the development of secure services in each department – and through thorough security reviews and sharing knowledge and expertise.
Furthermore, we have established a Groupwide CSIRT*1 to cooperate with external stakeholders such as relevant ministries, organizations specialized in cybercrime and other companies, and we are strengthening our cooperation with organizations such as the police and other administrative and investigative agencies, FIRST*2, and the Nippon CSIRT Association. We are committed not only to maintaining our own security but also improving information security for society as a whole.
*1 Computer Security Incident Response Team: An assembly that investigates and responds to reports on security incidents.
*2 Forum of Incident Response and Security Teams: A global organization that responds to incidents.
Measures against Phishing Emails
In recent years, more and more fraudulent activities have been carried out over the internet using email – a practice known as phishing. To protect our customers from such attacks, we have accelerated the implementation of Sender Domain Authentication Technologies (SPF, DKIM, DMARC) for our advertising emails, which certify that Rakuten is the sender of the emails. Through the use of such technologies, it is possible to identify malicious emails falsely associated with Rakuten and to discard them on a recipient's email server before they are delivered.
Rakuten is implementing this technology for the domains used in our 70+ services and will further deploy it to include all outgoing e-mails from Rakuten. In addition to this, we continue to work with a number of IT companies and mobile carriers to implement a system that displays the Rakuten brand symbol or official account label on messages received from Rakuten through their messaging services to officially confirm their origin.
Please see here for more information on our efforts against phishing emails.