IG Securities, the Japan-based arm of IG Group, disclosed on an unspecified date that it had improperly handled approximately 190,000 customer records classified as “specific personal information,” including Japan’s national identification number system known as My Number. The incident stemmed from internal data handling practices and actions by IG Markets Limited, an affiliated entity acting as an external contractor, rather than a confirmed external breach.
Scale of Exposure
IG Securities identified two separate exposure scenarios. In the first, 162,879 customer records were accessible within certain systems used across the IG Group. The company stated that access remained internal, but the scale raised concerns over how broadly sensitive data was viewable beyond its intended boundaries.
In the second case, 29,734 records were stored on a server managed by a cloud service provider. IG Securities said this storage occurred without its prior consent, indicating a breakdown in oversight between the Japanese entity and the contractor handling the data.
Data Types and Regulatory Context
The affected information included full names, dates of birth, gender, residential addresses, phone numbers, email addresses, and My Number identifiers. My Number data is subject to strict handling rules in Japan because of its use in taxation and social security systems.
Japan applies strict controls to “specific personal information,” particularly My Number identifiers. Firms handling this data are expected to limit access, use approved storage processes, and prevent unauthorized processing or disclosure.
IG Securities said its investigation found no evidence that customer data was leaked outside the company or accessed by unauthorized external parties. However, improper internal handling can still trigger regulatory scrutiny, corrective orders, and reputational damage, especially when sensitive national identifier data is involved.
Data Governance and Company Response
The disclosure highlights operational risks created by global brokerage structures, where customer data may move across entities, platforms, and jurisdictions. In this case, the involvement of IG Markets Limited demonstrates how intra-group delegation can create gaps between written controls and actual data handling.
IG Securities issued a formal apology and announced plans to tighten its data governance framework. Planned steps include stricter controls on how affiliated entities access and store personal data, along with clearer approval processes for external infrastructure such as cloud servers.
The company did not disclose whether regulators have been formally notified or whether penalties are under review. With more than 190,000 records involved across both scenarios, the case may draw attention from Japan’s data protection authorities.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
