Brave group Inc., which operates a VTuber business, announced on June 25, 2024, the possibility of a personal information leak.
The individuals potentially affected by the personal information leak are those who applied for the following auditions: "Vspo! JP Audition," "Brave group General Audition," and "HareVare VLiver Audition."
10,653 Pieces of Leaked Personal Information Identified as of Now
The total number of affected applications announced this time is 10,653, which includes approximately 7,000 applicants for the "Vspo! JP Audition" operated by Brave group's subsidiary, Virtual Entertainment Inc., approximately 1,043 applicants for the "HareVare VLiver Audition" operated by another group company, ENILIS Inc., and approximately 2,610 applicants for the "Brave group General Audition" operated directly by Brave group.
The information announced this time is what has been identified as of now, and personal information may have been leaked in past auditions as well.
The number of individuals whose personal information was leaked from Brave group is subject to change based on future investigations.
Cause of the Brave Group Personal Information Leak
Brave group and its respective group companies are VTuber agencies that were using Google Forms for their VTuber audition application forms.
(Although the official name is Google Forms, the company's announcement refers to it as "Google Form" and "Google form.")
The cause was that the "Edit URL" for the Google Form, which allows viewing of the responses (in this case, the application information of the audition applicants), was in a state where it could be viewed externally.
The company's announcement states that since the Edit URL is not publicly disclosed, the URL must have been leaked in some way.
However, even if it had been leaked, the personal information would not have been exposed if the forms had been set to be non-viewable, leading to comments on social media that the fundamental cause might be a human error-related setting mistake.
An individual who noticed the personal information leak contacted the official X (formerly Twitter) account via direct message on June 18 at 11:23 AM JST and June 25 at 4:28 PM JST, but the DMs were reportedly not noticed. The issue was discovered after the inquiring person made a public post on X, which generated attention.
Leaked Personal Information
The leaked information includes the name, prefecture of residence, phone number, date of birth, social media accounts used, and reasons for applying of the VTuber applicants who applied for the auditions.
For those who mistakenly entered their full address in the prefecture of residence field, their address was also leaked.
Since it is likely that many applicants entered their real names, this means that the VTuber's stage name, real name, and date of birth could be revealed from their social media information.
Unlike personal information leaks at general companies, the revelation of the real name and date of birth of a VTuber—who are virtual, talent-like figures with many passionate fans—could potentially affect their future activities.
Companies Investing in Brave Group
Those unfamiliar with Brave group or VTubers may not know what kind of company it is, but Brave group has received investments from many notable companies.
The main companies that have invested in Brave group are the following:
- Osaka Gas Co., Ltd.
- Akatsuki Inc.
- Saison Ventures Co., Ltd.
- Animoca Brands K.K.
- gumi Inc.
- Third Wave Corporation
- Sumisho Venture Partners Co., Ltd.
- Yostar Inc.
- REALITY, Inc.
- Septeni Holdings Co., Ltd.
- Shochiku Ventures Inc.
- The Shizuoka Bank, Ltd.
- Mitsui Fudosan Co., Ltd.
- TV Asahi Holdings Corporation
- Simplex Capital Investment Co., Ltd.
- Tokyo University of Science Innovation Capital Co., Ltd.
- Money Forward Venture Partners Inc.
- Revamp Corporation
- Adways Ventures Inc.
(In no particular order, a selection of information from the time of funding announcements.)
Brave Group's Privacy Policy and Information Security Policy
The company posts an "Information Security Policy" on its official website.
A brief summary of the initiatives is as follows:
- Responsibly handling customer confidential information
- Recognizing the importance for all who handle confidential information to protect information assets from risks such as leakage, damage, or loss
- Actively practicing to maintain information security, confidentiality, integrity, and availability
The policy also states that the company has "established an information security system with a dedicated manager and an experienced data security officer" and that it implements security measures, conducts regular education/training, and performs periodic inspections and audits.
If such measures had been implemented, an incident like this is not expected to occur, but as stated in the company's announcement, "the possibility of intentional leakage or unauthorized access is also quite possible," so we await further reports.
個人情報流出に関するお詫びとご報告 https://t.co/pg79TVK2Rp
— 株式会社Brave group (@bravegroup_vt) June 25, 2024