Top Management Message August 6, 2003

Report From Investigation Committee Concerning Leak of LAWSON PASS Cardholder Information

Lawson today announced the results of an investigation concerning the leak of LAWSON PASS cardholder information. LAWSON PASS is a credit card issued by Lawson and affiliate LAWSON CS Card, Inc. (LCS). The investigation was conducted at Lawson by a joint committee of the three companies involved—Lawson, LCS and a systems development outsourcing company. Lawson also announced additional internal measures designed to protect personal information, as well as salary reductions for some members of senior management.

1.Report of the Investigation Committee

The investigation committee, which was chaired by Yasuyuki Takai, an attorney from outside Lawson, interviewed relevant people and gathered related information and documents. The committee's findings were as follows:

  • (1) It was determined that only personal information and no credit information was leaked.
  • (2) It is highly likely that the information was intentionally taken from two computers used by a systems development and operations company that was working under contract for Lawson.
  • (3) Neither Lawson nor LCS employees had the password to access these computers.
  • (4) Only a small number of people had access to the computers in question. However, pinpointing the person(s) who took the information is impossible, given the limitations of a private investigation of this type.
  • (5) Discussions are currently being held with the authorities about the identification of the individuals involved and the action to be taken against them.

2.Policies for the Protection of Personal Information

The Personal Information Protection Committee, chaired by President Takeshi Niinami, has decided on the following policies for the protection of all customer information, including that held by stores, and not just LAWSON PASS cardholder information. These policies supplement security measures previously announced on July 15 of this year.

  • (1) Impose tighter controls on the handling and disposal of personal information at the store level.
  • (2) Draft internal regulations for personal information that include punitive measures for breaches, and strictly enforce those regulations.
  • (3) Redouble efforts to educate employees on matters pertaining to the protection of personal information.
  • (4) Conduct internal audits covering personal information.
  • (5) Prepare standards for the selection of contractors, review the terms of contractor agreements and conduct regular inspections.

3.Internal Action

Due to the concern caused to cardholders by the leak of personal information, the following members of Lawson's senior management team will take a reduction in salary or receive a reprimand:

Takeshi Niinami President and CEO 10% pay cut for 3 months
Teruo Aoki Senior Executive Vice President
(formerly Chief Information Officer (CIO))
20% pay cut for 3 months
Susumu Hasegawa Senior Vice President, General Manager,
Information Systems Office (Currently CIO)
20% pay cut for 3 months
Shigeaki Kawahara Senior Vice President,
Marketing Division
10% pay cut for 3 months
Leader, Information Systems Office Person in Charge of Systems Development Reprimand

4.Chronology of Events

June 9 Inquiry from cardholder
June 10 Internal investigation launched
June 18 Inquiry from another cardholder
June 19 Cardholder information leak confirmed
June 23 Investigation committee formed and law enforcement authorities contacted
June 24 Personal Information Protection Committee formed
June 26 Press release issued on leak of cardholder information
July 9-12 Letter of apology sent to cardholders
July 15 Press release made concerning measures for securing
  personal information. Key points of the press release were as follows:

<Announcement on Measures to Secure Cardholder Information>

  • (1) A 24-hour security camera will be installed in the room where operators enter cardholder information
  • (2) Finger-print verification will be used to restrict access to this room
  • (3) A finger-print verification device will be installed in access terminals
  • (4) The number of people with access to personal information will be further restricted
  • (5) The company managing cardholder information has agreed to introduce the same security measures.

Lawson wishes to again express its sincerest apologies to cardholders for the worry and concern caused by the information leak, which led to some customers receiving unsolicited direct mail. Lawson continues to work with law enforcement authorities and to enhance security so as to tighten the management of important cardholder information and win back the trust and confidence of cardholders.

August 6, 2003

Takeshi Niinami
President and CEO

Archives(Back Numbers)