2021.8.6
Press release

[Investigation Report] Mercari’s Response to the Codecov Vulnerability and Related Notification on Personal Information Exposure

On May 21, 2021, Mercari, Inc. announced1 that the company’s use of the code coverage tool Codecov2 had resulted in unauthorized access by a third party, with some of the company’s source code and users’ personal information being exposed in the process. We conducted a full investigation into the scope of the impact after that, with the cooperation of an external security specialist. Today, we would like to announce that this investigation has concluded and share the results.
1: See this press release for the May 21, 2021, announcement and background of the incident.
(https://about.mercari.com/en/press/news/articles/20210521_incident_report/)
2: Tool for measuring test code coverage (percentage of program source code subjected to automated testing)

Our investigation found an additional 13 records of information belonging to a limited set of Mercari marketplace app users and 25 records of employee information, including the information of employees at our subsidiaries3. This brings the total number of information records exposed to 27,927 (27,889 records announced on May 21; 38 records announced today). However, at this time, we have not yet discovered any damage or impact from malicious use of the exposed data.
3: Note that the exposure of user information described here was only discovered after our original May 21 announcement. There has been no new exposure of information following that original announcement.

We deeply apologize to everyone affected by this for the concern and inconvenience it may cause.

Additional information discovered to have been potentially compromised:

  • Information concerning customer service response, collected between December 2015 and February 2019 (names, addresses, dates of birth, messages between buyers and sellers): 13 records
  • Information concerning employees of Mercari Group (names, company email addresses, employee ID numbers, etc. of a limited number of employees, including past employees and some outsourced employees, dated April 2021): 25 records

Our support for parties whose information may have been compromised is detailed below. We have also established dedicated points of contact for inquiries regarding this incident.

 

1) For users whose information may have been compromised

  • Our response:
    Mercari has begun directly contacting those whose information may have been accessed without authorization to explain the situation.
  • For questions:
    We have established a dedicated point of contact for users who have confirmed that their information may have been compromised. Please read through the following guide.

■ Contacting Mercari regarding compromised user information
https://www.mercari.com/jp/help_center/article/1159/  (only available in Japanese)

 

2) For employees whose information may have been compromised *Including former employees and some outsourced employees

  • Our response:
    Mercari has begun directly contacting those whose information may have been accessed without authorization to explain the situation.
  • For inquiries:
    Although we are directly contacting those whose information may have been accessed, please use the dedicated email address below if you have any additional questions about your data or are concerned that your data may have been compromised.

mercarigroup-employeesupport@mercari.com (Mercari Group, HR Representative)

Mercari Group understands the gravity of the situation, and we will continue to work towards strengthening security measures across the group to ensure users can enjoy a safe and secure service.

Again, we are truly sorry for any concern and inconvenience this incident may cause.