Japan's Ministry Issues Administrative Guidance to Rakuten Mobile Over Privacy Breach

Japan’s Ministry of Internal Affairs and Communications has taken enforcement action against Rakuten Mobile following a significant security incident that compromised customer communication records and exposed systemic failures in incident response protocols.

The Ministry of Internal Affairs and Communications delivered administrative guidance to Rakuten Mobile on August 19, 2025, citing violations of telecommunications secrecy laws and criticizing the company’s three-month delay in reporting the breach. The incident involved unauthorized access to the “my Rakuten Mobile” customer portal, where attackers gained access to sensitive communication data affecting thousands of subscribers.

Unauthorized Portal Access and Communication Data Exposure

Criminal actors successfully obtained login credentials for Rakuten Mobile’s customer service portal, enabling unauthorized access to highly sensitive subscriber information. The breach compromised communication records including call destination numbers, SMS transmission details, and communication timestamps – data classified under Japan’s telecommunications secrecy regulations.

The attack methodology involved a juvenile criminal group that acquired account credentials for at least 4,609 customers across 7,002 active lines through undisclosed methods. These credentials provided direct access to the “my Rakuten Mobile” portal, where subscribers can view detailed communication histories and account information.

Between November 2023 and February 2025, the attackers systematically impersonated legitimate users to access customer accounts and exploit the platform’s functionality. The group leveraged portal features to establish fraudulent eSIM contracts, circumventing identity verification processes by adding unauthorized lines to existing customer accounts.

eSIM Contract Fraud and Identity Verification Bypass

The criminal operation extended beyond data access to include sophisticated contract fraud targeting Rakuten Mobile’s eSIM provisioning system. Attackers exploited weaknesses in the identity verification process to establish additional lines under compromised customer accounts without proper authentication.

This dual-purpose attack enabled both data harvesting and service fraud, with criminals gaining access to communication records while simultaneously establishing fraudulent telecommunications services. The extended timeframe of the operation, spanning over 15 months, indicates significant gaps in Rakuten Mobile’s fraud detection and monitoring capabilities.

The Ministry’s investigation revealed that the portal’s design allowed unrestricted access to communication metadata once attackers obtained valid credentials, creating extensive exposure to telecommunications secrecy violations under Japanese telecommunications law.

Three-Month Reporting Delay and Regulatory Violations

The Ministry expressed particular concern regarding Rakuten Mobile’s three-month delay in reporting the telecommunications secrecy breach, characterizing this timeline as a serious regulatory compliance failure. Japanese telecommunications law requires prompt notification of incidents affecting communication privacy, and the extended delay prevented timely regulatory oversight and customer protection measures.

Ministry officials emphasized that the reporting delay compounded the severity of the underlying security incident, preventing appropriate regulatory response and potentially exposing additional customers to ongoing risks. The delayed disclosure pattern suggests deficiencies in Rakuten Mobile’s incident classification and escalation procedures.

The regulatory guidance specifically addresses the company’s failure to implement adequate incident response workflows that properly identify and escalate telecommunications secrecy violations to senior management and regulatory authorities within required timeframes.

Mandatory Compliance System Overhaul Requirements

The Ministry’s administrative guidance mandates comprehensive organizational changes to Rakuten Mobile’s compliance and risk management framework. The carrier must implement specific verification steps within incident response procedures to assess whether security events expose customer communication data to unauthorized access.

Incident Response Protocol Enhancement: Rakuten Mobile must integrate telecommunications secrecy verification checkpoints into all incident response workflows. These verification steps require systematic assessment of whether system failures or security events create unauthorized access to call records, SMS data, or other protected communication information.

Executive Reporting Structure Reform: The guidance requires establishment of direct escalation channels ensuring senior management receives immediate notification of potential telecommunications secrecy violations, bypassing traditional hierarchical reporting structures that contributed to the three-month delay.

Documentation and Training Requirements: The Ministry demands comprehensive updates to internal policies, incident response manuals, and staff training programs to ensure proper identification and handling of telecommunications secrecy incidents across all organizational levels.

Previous Compliance Failures and Pattern Recognition

This administrative guidance represents Rakuten Mobile’s second regulatory enforcement action, following previous violations related to customer identity verification requirements. The Ministry specifically noted that the company’s compliance systems failed to prevent recurring regulatory violations despite previous corrective measures.

The pattern of repeated compliance failures prompted the Ministry to demand fundamental organizational changes rather than incremental improvements to existing procedures. Regulatory officials emphasized that surface-level policy adjustments have proven insufficient to address underlying systemic compliance deficiencies.

Rakuten Mobile’s history of regulatory violations has influenced the Ministry’s approach to this incident, with officials requiring detailed implementation timelines and regular progress reporting to ensure meaningful compliance system improvements.

Industry Impact and Regulatory Precedent

The Rakuten Mobile case establishes important precedent for telecommunications secrecy enforcement in Japan’s mobile carrier industry. The Ministry’s emphasis on reporting timeline compliance and systematic incident response procedures signals heightened regulatory scrutiny of carrier security practices and customer data protection measures.

The administrative guidance reflects evolving regulatory expectations for telecommunications providers in Japan, particularly regarding prompt disclosure of customer data exposure incidents and implementation of robust privacy protection systems. Other Japanese carriers will likely face increased regulatory pressure to demonstrate comprehensive incident response capabilities and telecommunications secrecy protection measures.

The incident underscores the critical importance of proactive security monitoring, rapid incident classification, and immediate regulatory reporting for telecommunications providers operating under Japan’s strict privacy protection framework. Companies must establish clear procedures for identifying telecommunications secrecy violations and ensure senior management understands the regulatory implications of security incidents affecting customer communication data.

Source: Soumu.go.jp