Article Details

Japan orders local giants LINE and NAVER to disentangle their tech stacks. Government mighty displeased about a shared Active Directory that led to a big data leak. Japan's government has ordered local tech giants LINE and NAVER to disentangle their tech stacks, after a data breach saw over 510,000 users' data exposed. LINE is a messaging app created by an offshoot of South Korea's NAVER – a Google-like web giant. The LINE app is very widely used across Asia – in Japan and Thailand it is used by the majority of the population and enjoys the kind of ubiquity WhatsApp boasts in other nations. In 2021, LINE merged with Yahoo! Japan, which is owned by SoftBank. NAVER and SoftBank emerged as half owners of an entity that operates LINE. In 2023, however, LINE leaked. And on Tuesday, Japan's Ministry of Internal Affairs and Communications issued administrative guidance on how to avoid a similar snafu in future. The Ministry's guidance outlines deep entanglements between LINE and NAVER tech. NAVER's cloud has "extensive access" to LINE's environment, making it easy to access data stored in the messaging app's legacy systems using NAVER's network. The guidance also reveals how authentication services were shared – a decision that became problematic as details of former LINE staff were stored in a shared Active Directory. Some of those former staff later contracted to LINE, and it was unauthorized access to those credentials – via NAVER Cloud – that led to the data breach. NAVER didn't spot the intrusion, so LINE wasn't aware it was at risk. The document includes extensive criticism of infosec practices and governance at both LINE and NAVER, and calls for a comprehensive review of both – and quarterly reports to the Ministry regarding progress. Another requirement is for LINE to disentangle its tech from NAVER and maintain only minimal essential links. The Ministry also wants the two services to implement their own authentication tools – the shared Active Directory must go, and LINE users' creds must not be stored on NAVER infrastructure. Greater attention to contractors' impact on infosec is also urged. After machine translation from Japanese, the document contains many references to "drastic" change being required at LINE, and the likely unreliability of NAVER as a partner in those endeavors. LINE has accepted the recommendations. NAVER has promised to help. And for its part SoftBank has said it's noted the incident and the Ministry's guidance, and will consider its application across the group – which spans telecoms in Japan, Yahoo!, and a majority stake in UK chip designer Arm, among many other assets. Which leaves LINE with a very complex project to conduct, under constant scrutiny, and customers of NAVER Cloud perhaps a little worried about what else it might be doing badly.