This is an update regarding the privacy breach incident originally reported on June 28, 2024*.
* Apology and Notification Regarding Privacy Breach Incident
We would first like to offer our sincere apologies to everyone involved, including applicants and fans altogether, for all the distress this incident has caused.
In order to assert the exact causes of the incident and the extent of its impact, we have conducted a detailed investigation together with the assistance of external auditors which included thorough analysis of logs information and interviews with people related to the incident. The following is a report of the results of the investigations and the measures to prevent any recurrence.
1. Investigation Report
Possible Causes
At Brave group, we use the Google Forms service in order to collect information relative to our auditions. Whenever a form is created, two distinct URLs are generated:
A public URL: a URL that can be used to fill and answer the form
A private URL: a URL that can be used to modify the form and view answers. This URL is entirely different from the public URL and cannot be reversed-engineered from the public URL.
Both URLs sharing settings were set to be accessible to “Anyone with the link” which allows any person with the complete knowledge of the URL to access its contents. While the public URL was posted on our auditions page, the private URL was never made public.
However, once a person has answered and submitted the form, it becomes listed in their “Recent” tab on their Google home screen, allowing them to access a page with their answers. During our investigations, it has been brought to our attention by the external auditors that an unpublicized method to get knowledge of the private URL via the public URL may have very likely been exploited at the time of the incident, which may have been made possible by an undocumented update deployed on Google Forms services, which is estimated to have been made around June 4, 2024. As of June 26, 2024, that method to gain knowledge of the private URL cannot be reproduced anymore.
Based on the above, we have acquired the confirmation that an unrelated third-party may have been able to access the private URL without our authorization between June 4 and June 25, 2024 before we changed the permissions to the impacted Google Forms.
Impact
In response to this incident, we have commissioned an external audit in order to investigate all the documents hosted on our Google cloud and search for any potential unauthorized access by applying the following rules:
Files with a large number of external access between June 4 and June 25, 2024.
Files with a large percentage of external access during June 2024.
Files with an abnormally high number of access during a given period of time
Based on the audit, we have identified five other files meeting the above criteria.
However, upon thorough investigation of the files access history, we have confirmed that the external accesses were performed by collaborators with whom we have shared the URL and have identified that there has been no unintended nor unauthorized access to those files, limiting the exposed files to the following:
VSPO! Auditions (Japanese only)
Brave group General Auditions (Japanese & English)
HareVare VLiver Auditions
VSPO! Authorized Clippers Application
2. Response
The following measure has been applied:
All the Google Forms present on our company Google Cloud had their permissions changed to restricted access settings.
3. Countermeasures
In order to prevent any recurrence, we will (1) review file sharing settings (2) reinforce our workflow for handling personal information (3) consider the implementation of a more secure solution to collect personal information.
The countermeasures are currently being gradually deployed and are expected to be completed by September 2024.
1) Reviewing File Sharing Settings and Permissions
Public access to the files on our internal Google Cloud, including all the Google Forms, will be revoked and strict control for external sharing will be implemented.
2) Reinforcing our workflow for handling personal information
Internal regulations will be reviewed and training and onboarding will be provided to all personnel in order to raise the awareness regarding the handling of personal information.
3) Implementing a new solution to collect personal information
We are currently exploring professional solutions for a new service to replace Google Forms to collect personal information that can only be accessed by our personnel.
4. Resuming Auditions
Auditions have been temporarily interrupted since the incident and will be resumed soon.
While we are still considering the implementation of a new professional service, the resumed auditions will be using a new form developed by Brave group and we will avoid collecting some personal information such as the applicant’s full name or phone number.
We would like to reassert that we take this matter very seriously and we will do our utmost to prevent the recurrence of such a situation by reinforcing our internal procedures while providing our personnel and management with the proper training in order to regain the trust of our fans and partners.
Again, we offer our sincere apologies for all the inconvenience and distress this incident has caused.
If you wish to contact us regarding this matter, please use the following e-mail address:
contact_all@bravegroup.co.jp