Lawson today announced the results of an investigation concerning the leak of LAWSON PASS cardholder information. LAWSON PASS is a credit card issued by Lawson and affiliate LAWSON CS Card, Inc. (LCS). The investigation was conducted at Lawson by a joint committee of the three companies involved—Lawson, LCS and a systems development outsourcing company. Lawson also announced additional internal measures designed to protect personal information, as well as salary reductions for some members of senior management.

The investigation committee, which was chaired by Yasuyuki Takai, an attorney from outside Lawson, interviewed relevant people and gathered related information and documents. The committee's findings were as follows:

• (1) It was determined that only personal information and no credit information was leaked.
• (2) It is highly likely that the information was intentionally taken from two computers used by a systems development and operations company that was working under contract for Lawson.
• (3) Neither Lawson nor LCS employees had the password to access these computers.
• (4) Only a small number of people had access to the computers in question. However, pinpointing the person(s) who took the information is impossible, given the limitations of a private investigation of this type.
• (5) Discussions are currently being held with the authorities about the identification of the individuals involved and the action to be taken against them.

The Personal Information Protection Committee, chaired by President Takeshi Niinami, has decided on the following policies for the protection of all customer information, including that held by stores, and not just LAWSON PASS cardholder information. These policies supplement security measures previously announced on July 15 of this year.

• (1) Impose tighter controls on the handling and disposal of personal information at the store level.
• (2) Draft internal regulations for personal information that include punitive measures for breaches, and strictly enforce those regulations.
• (3) Redouble efforts to educate employees on matters pertaining to the protection of personal information.
• (4) Conduct internal audits covering personal information.
• (5) Prepare standards for the selection of contractors, review the terms of contractor agreements and conduct regular inspections.

Due to the concern caused to cardholders by the leak of personal information, the following members of Lawson's senior management team will take a reduction in salary or receive a reprimand:

<Announcement on Measures to Secure Cardholder Information>

• (1) A 24-hour security camera will be installed in the room where operators enter cardholder information
• (2) Finger-print verification will be used to restrict access to this room
• (3) A finger-print verification device will be installed in access terminals
• (4) The number of people with access to personal information will be further restricted
• (5) The company managing cardholder information has agreed to introduce the same security measures.

Lawson wishes to again express its sincerest apologies to cardholders for the worry and concern caused by the information leak, which led to some customers receiving unsolicited direct mail. Lawson continues to work with law enforcement authorities and to enhance security so as to tighten the management of important cardholder information and win back the trust and confidence of cardholders.

August 6, 2003

Takeshi Niinami
President and CEO

Archives(Back Numbers）