SoftBank DataBreach – 137,000 Users Personal Data Exposed From Third-party Service Provider

SoftBank Corporation, an investment holding company, disclosed a significant data breach affecting 137,156 mobile subscribers through compromised third-party infrastructure. 

The incident, which occurred in December 2024 but was only discovered in March 2025, represents a critical failure in vendor security management and highlights the persistent vulnerabilities in outsourced data processing operations.

According to Japan’s Public Broadcaster, NHK, the security incident exposed a substantial volume of personally identifiable information (PII) belonging to both SoftBank and Y! Mobile subscribers. 

SoftBank DataBreach

The compromised dataset included customer names, residential addresses, and phone numbers stored within the systems of UF Japan, an external service provider contracted for telecommunications support operations. 

Notably, the breach did not extend to more sensitive financial data elements, with SoftBank confirming that credit card numbers, bank account information, and payment credentials remained secure within isolated systems.

The exposure timeline reveals gaps in incident detection capabilities. While the unauthorized access occurred in December 2024, the breach remained undetected for approximately three months until a third-party security researcher reported suspicious activity to SoftBank in March 2025. 

This detection delay underscores potential weaknesses in real-time monitoring systems and intrusion detection protocols within the outsourced infrastructure.

Investigation findings reveal multiple critical security control failures at UF Japan’s facilities. The primary attack vector involved inadequate physical access controls and perimeter security measures for data processing floors containing sensitive customer information. 

Security assessments identified insufficient badge access systems, compromised entry/exit logging mechanisms, and absent biometric authentication protocols for areas designated as high-security zones.

The perpetrator, identified as a former employee of another partner company within the supply chain, exploited these access control vulnerabilities to gain unauthorized physical access to restricted areas. 

This insider threat scenario demonstrates the complexity of managing security across multi-vendor environments where former employees retain institutional knowledge of facility layouts and security procedures. 

The incident also exposed data accessibility issues, where personal information was improperly configured with overly permissive access rights, allowing unauthorized personnel to extract customer data without triggering automated security alerts.

SoftBank’s immediate response included terminating the contractual relationship with UF Japan and initiating law enforcement consultation procedures. 

SoftBank said, “We take the serious incident seriously, and will strengthen management of outsourced companies that handle personal information to prevent recurrence.”

The company has committed to implementing enhanced vendor security assessments, including mandatory penetration testing, compliance auditing, and continuous security monitoring requirements for all third-party data processors, reads the NHK report.

These measures align with Japan’s Personal Information Protection Act (PIPA) requirements and international data protection standards.

The incident carries significant regulatory implications under Japan’s telecommunications security framework and may trigger investigations by the Ministry of Internal Affairs and Communications. 

SoftBank faces potential administrative sanctions, including security improvement orders and enhanced reporting obligations. 

The company’s statement emphasizes strengthened vendor management protocols, including mandatory security certifications, regular vulnerability assessments, and real-time monitoring integration to prevent similar incidents across their outsourced operations ecosystem.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar

The post SoftBank DataBreach – 137,000 Users Personal Data Exposed From Third-party Service Provider appeared first on Cyber Security News.