Japan's government has considered the proposed security improvements developed by Yahoo!, found them wanting, and ordered the onetime web giant to take new measures.

Yahoo! is in the sights of the Ministry of Internal Affairs and Communications because the LINE messaging app it owns allowed Chinese entities to read users' messages and also leaked customer data after a 2023 attack.

LY Corporation, the Yahoo!-owned entity that runs LINE, was formed after the Japanese incarnation of the Purple Palace acquired LINE from South Korean tech giant NAVER. Since that 2021 transaction, the two entities have continued to operate intermingled tech stacks. The 2023 leak highlighted the risks that creates - not least because LINE and NAVER still shared an Active Directory years after the acquisition.

The ministry last month ordered Yahoo! Japan to disentangle the two tech stacks and ensure the privacy of local LINE users.

The order required Yahoo! Japan to submit a plan for improving its infosec. That document landed in early April.

The ministry reviewed it, and found it wanting.

In guidance issued Tuesday, the ministry declared it is not been satisfied that proposed changes to infosec practices and subcontractor management will fix the problems at LY Corp.

"We believe that we are in a situation where it is not necessarily clear that there will be a sufficient review of the establishment of the security governance system for the entire group … and we have determined that it is necessary to accelerate countermeasures and consideration," the ministry lamented.

It has therefore ordered Yahoo! Japan to:

• Speed its review of infosec management, and how it manages subcontractors who can access its systems;
• Hasten its review of security governance across the group;
• Inform users of progress to improve security through regular publications.

At the time of writing, LY Corp appears not to have updated the statement it issued in March. That document would be familiar to readers who can recall other web giants cleaning up after their cyber messes: it contained apologies, pledges to do better in future, and promises to ensure a large and devoted workforce delivers results.

Few governments hold tech companies to account for those promises, but Japan's has - which is one reason The Register is covering this news. ®

https://www.theregister.com//2024/04/17/japan_rejects_line_yahoo_security_plan/