We are writing to inform you about a recent privacy breach that involved some personal information regarding applications to our auditions.
We would first like to sincerely apologize to all the applicants as well as all the people involved for all the distress and personal troubles that this incident has caused.
Please find below explanations detailing what happened and how we are responding to this incident.
Summary of the Incident
At Brave group, we collect the information relative to our auditions using the Google Forms service from the cloud-based Google Docs suite. This allows us to provide a form to applicants via a public URL. Answers are collected in a separate document that can only be accessed from a different URL (henceforth referred to as “private URL”).
However, we have identified unauthorized access by a third-party to the document containing the answers to auditions held by our subsidiary Virtual Entertainment, Inc. on June 25, 2024 at 17:15 (all date and times in the present document are expressed in JST) via that document’s private URL.
Through our investigation, we have identified a similar privacy breach to the “Brave group general auditions” (Japanese only) directly operated by Brave group, Inc. as well as the “HareVare VLiver auditions” operated by our subsidiary ENILIS Inc.
As the documents private URL are not made publicly available in any way, it is very likely that it has been leaked.
In the light of the above circumstances, as there is a high possibility of an intentional leak or unauthorized access, we are currently fully committing our resources in order to conduct a careful investing.
Impacted Individuals and Information
- Affected information: personal information pertaining to 10,653 auditions could have been accessed, affecting approximately 7,000 individuals.
- Affected individuals: applicants who have applied to either of Brave group general auditions in Japanese, VSPO! Japan auditions or HareVare VLiver auditions.
We are currently investigating any potential information breach related to Brave group General auditions in English. - Period when the information could have been accessed:
Between June 4, 2024 19:40 and June 25, 2024 17:50 - List of affected personal information:
– Full name
– Country / Prefecture of residence (However, some applicants have provided their full address)
– Phone number
– Date of birth
– Social network accounts
– Reasons and motivations for application
Detailed Background
When creating a form, two URLs are issued: a public URL for answering the form and a private URL for storing the collected answers.
The forms private URL sharing settings have been set to “Anyone with the link”, allowing any person with knowledge of that URL to get access to its contents.
However, the respective auditions pages only make available the public URL for applicants. As the private URL is not publicly made available in any way, the personal information contained in the applications are not publicly accessible.
We are currently investigating how an unauthorized third-party has been able to get knowledge of the private URL and will make an announcement as soon as the circumstances have been identified.
Once our teams have confirmed the above breach, the sharing settings have been immediately updated on June 25, 2024 at 17:50 and the cloud-stored documents are no longer accessible to any unauthorized third party, even by using the private URL.
Detailed timeline
A certain post on the social network X (formerly Twitter) was published on June 25, 2024 at 17:01 and our teams have been able to confirm the contents detailed in the aforementioned post on the same day at 17:15.
After reviewing all the inquiries we have received, we have identified inquiries reporting the potential breach made by two individuals on June 18, 2024 at 11:23 and June 25, 2024 at 16:28 via DM sent to VSPO! Official X account.
Because the DM sent to our X accounts are not directly displayed and require additional moderation, this led to a delay in the processing of inquiries. Due to the described circumstances, our teams have been able to fully confirm the breach and the existence of the aforementioned inquiries on June 25, 2024 at 17:15.
Investigation and Audit
We have formed an investigation committee in order to determine the cause of the incident and are also working to include an external auditor to help with our investigation.
Security and Prevention Measures
We have reported this incident to the regulatory authorities competent on this matter and are working towards strengthening our information security and management.
Furthermore, we are working towards raising awareness about information security in order to prevent any potential further damage and are proceeding with investigating potential individuals that may have illegally acquired or used information pertaining to this matter.
Our Response
- Phone Number Change Assistance
We will endorse all the costs related to changing phone numbers. - Cases of Personal Address Breach
While the auditions forms only request the information about the country and prefecture of residence, there have been cases where applicants have provided us with their full address. We will be reviewing each case in order to offer the appropriate level of assistance in regards to each case’s individual circumstances. - Full Personal Support
We commit our utmost support to everyone who has been affected by this incident and will work with them closely on a case by case basis.
Regarding Inquiries sent to Brave group
contact_all@bravegroup.co.jp
We are currently experiencing a large number of inquiries being sent to the above email address and we are currently doing our utmost in order to respond to all the inquiries in a timely manner and would like to ask for your kind patience.
Notice to All Our Applicants
In response to the incident, our teams have emailed all the affected applicants on Wednesday, June 26, 2024 between 16:30 and 17:00 from our contact_all@bravegroup.co.jp email address in order to provide assistance.
In the case you are no longer using the email address used in the application or have not received that email for any other reason, please contact our support team via the above email.
Please note that this is a non-standard situation that requires us to exceptionally handle personal information and that we do not request nor make use of personal information outside of what is described in the scopes of our regular business activities.
We would like to ask everyone to be wary of any potential malicious emails or messages that misleadingly pretend to be from Brave group or any of our affiliated companies.
In the case you receive a suspicious email or message, we ask that you do not open any of the URL or attachment contained in the email and delete it immediately.
Future Information Disclosure
Along with our regular business activities, we will also give priority to providing support to all parties that have been negatively impacted from this incident and investigate the circumstances of this information breach.
We will publish important information relative to our investigations as we confirm the validity of our information.
Again, we would like to extend our most sincere apologies to all our applicants as well as all the related parties for the inconvenience and distress this may have caused.
