RIZAP Data Breach: 365K Customer Records Exposed by Cloud Misconfiguration

RIZAP Data Breach: 365K Customer Records Exposed by Cloud Misconfiguration

March 8, 2025

On November 29, 2024, RIZAP Corporation revealed that customer information for approximately 365,461 individuals was inadvertently exposed to unauthorized parties. The breach occurred due to an access permission misconfiguration on its cloud service, leading to a possible data leak over an extended period.

Incident

Leak Details

  1. Duration: January 24, 2022 – October 25, 2024 (approximately 2 years and 9 months)
  2. Affected Records: 365,461 customer entries
  3. Data Exposed:
    1. Full name
    2. Email address
    3. Date of birth
    4. Gender
    5. Physical address
    6. Phone number
    7. Membership number
    8. Other personal information (Note: Sensitive data such as special care personal information and credit card details were not included)

Discovery and Response
In October 2024, external parties alerted RIZAP to the vulnerability. Promptly, the company corrected the access permissions. An internal investigation later confirmed that the data had been exposed for over two years.

Corporate Countermeasures
RIZAP has since implemented the following measures:

  1. Enhanced Access Controls:
    Reviewing and strengthening cloud configuration settings to block unauthorized access.
  2. Improved Data Management:
    Conducting comprehensive audits across all cloud environments to establish a robust management framework.
  3. Employee Training:
    Intensifying information security training programs to prevent future incidents.
  4. Customer Notification:
    Affected customers have been individually notified, with a dedicated inquiry hotline established.

Potential Impact and Risks
While there have been no reports of data misuse so far, the exposure of names, email addresses, and addresses could increase the risk of phishing scams, spam, impersonation, and targeted attacks.

Future Challenges and Outlook
RIZAP must leverage this incident to boost its overall security posture. Strengthening transparency, providing rapid responses, and enhancing preventive measures will be crucial in restoring customer trust and safeguarding the company’s brand.

Summary:

  1. Approximately 365,461 customer records were exposed due to a cloud misconfiguration
  2. The vulnerability persisted for nearly 3 years
  3. RIZAP has since launched corrective actions and preventive measures
  4. The incident raises concerns about phishing and impersonation risks

Reference:

MITRE ATT&CK Analysis

Tactic Technique (Example) Description Evidence/Considerations in the RIZAP Case
Initial Access Misconfiguration (Administrative Error) In this case, an incorrect access permission setting on a cloud service enabled unauthorized parties to view files that contained customer data. The breach was caused by a misconfiguration on cloud storage that left certain customer files exposed from January 24, 2022, to October 25, 2024.
Discovery T1083 (File and Directory Discovery) External actors may use automated tools to scan for publicly accessible cloud storage or misconfigured systems containing sensitive data. Unauthorized parties likely discovered the misconfigured cloud storage when scanning for publicly accessible files, as indicated by the external notification that led to the disclosure.
Exfiltration T1041 (Exfiltration Over C2 Channel) (Potential) Although there is no confirmed evidence of data being actively exfiltrated, the exposed data was accessible and could have been downloaded. While the investigation did not confirm actual data exfiltration, the prolonged exposure (nearly three years) of 365,461 customer records created a substantial risk for data theft.
Impact Data Exposure (Resulting in Increased Risk of Secondary Attacks) The exposure of customer data increases the risk of phishing, spam, impersonation, and other targeted attacks, impacting customer trust. Approximately 365,461 records—including names, email addresses, birthdates, addresses, phone numbers, and membership numbers—were exposed, though no misuse or secondary damage has been confirmed.
Reconnaissance T1598 (Search Open Websites/Domains) (Potential) Attackers often scan for misconfigured or publicly accessible resources to identify targets for further exploitation. The misconfiguration allowed the cloud-hosted customer files to be accessible for an extended period, which may have been identified by automated scanning tools.

Disclosure Timeline

  1. https://rizap.co.jp/news/6o2Cp6i-
  2. https://rizap.co.jp/news/L3BYrgVa

Reference

  1. https://rizap.co.jp/news/6o2Cp6i-
  2. https://rizap.co.jp/news/L3BYrgVa
  3. https://attack.mitre.org/

Related Pages

Phishing Site Takedown Service

【Case Study】 Taking Down Phishing Sites in 2 Days for a Financial Institution -A Successful Phishing Site Takedown with a 1034% ROI

What is the Active Cyber Defense Law? A New Legal Framework to Combat Modern Cyber Threats

Why Do People Fall for Phishing Scams? The Invisible Gorilla Experiment and How Your Mind Is Hacked

The Complete Guide to Phishing Scams: Methods, Case Studies, Countermeasures, and Takedown Success Stories

Tutorial Series

threat-actor-img

🇯🇵🎣 Phishing Fraud Cases in Japan (2025)
a large-scale cyberattack (DDoS) targeting NTT Docomo

🇯🇵💥Japan DDoS Cases 2025
情報漏洩_4fcefcdf

🇯🇵🔓Japan Data Breach Cases 2025 | Major Data Leaks, Cyber Attacks, and Countermeasures
global law enforcement agencies collaborating to dismantle cyber threats in 2024

🌍🚫 Global Takedown Cases (2024)
ransomware-category-img_badf6112

🇯🇵💰Ransomware Cases in Japan 2025
ransomware-category-img_019ed7d1

🇯🇵💰Ransomware Cases in Japan 2024

Category

phishing-site-img.format-webp

🎣 Phishing
a large-scale cyberattack (DDoS) targeting NTT Docomo

💥DDoS
情報漏洩_7f512ea9

🔓Data Breach
multiple government agencies taking down a cybercrime network

🚫 Takedown
ransomware-category-img_7d329041

💰Ransomware