What Did IG Securities Disclose?
IG Securities, the Japan-based arm of IG Group, disclosed that it had improperly handled customer data classified as “specific personal information,” including Japan’s national identification number system, known as My Number.
The company said the issue did not involve a confirmed external breach. Instead, the incident stemmed from internal data handling practices and the actions of IG Markets Limited, an affiliated entity that was acting as an external contractor.
IG Securities said customer data was processed and stored in ways that did not align with internal controls or prior approvals, raising questions over how personal information was managed across group entities.
How Many Customer Records Were Affected?
The company identified 2 separate exposure scenarios. In the first, 162,879 customer records were accessible within certain systems used across the IG Group. The access remained internal, but the scale raised concerns over how broadly sensitive data was viewable beyond its intended boundaries.
In the second case, 29,734 records were stored on a server managed by a cloud service provider. IG Securities said this storage occurred without its prior consent, pointing to a breakdown in oversight between the Japanese entity and the contractor handling the data.
The affected information included full names, dates of birth, gender, residential addresses, phone numbers, email addresses, and My Number identifiers. My Number data is subject to strict handling rules in Japan because of its use in taxation and social security systems.
Investor Takeaway
The incident does not appear to be an external breach, but the scale of the affected records raises governance risk. For global brokers, internal data access and contractor oversight can carry regulatory exposure even when no outside leak is confirmed.
Why Does My Number Data Raise the Stakes?
Japan applies strict controls to “specific personal information,” particularly My Number identifiers. Firms handling this data are expected to limit access, use approved storage processes, and prevent unauthorized processing or disclosure.
IG Securities said its investigation found no evidence that customer data was leaked outside the company or accessed by unauthorized external parties. That distinction may reduce immediate breach-related fallout, but it does not remove compliance risk.
Improper internal handling can still trigger regulatory scrutiny, corrective orders, and reputational damage, especially when sensitive national identifier data is involved.
What Does the Case Say About Brokerage Data Governance?
The disclosure highlights the operational risk created by global brokerage structures, where customer data may move across entities, platforms, and jurisdictions. In this case, the involvement of IG Markets Limited shows how intra-group delegation can create gaps between written controls and actual data handling.
IG Securities issued a formal apology and said it is tightening its data governance framework. Planned steps include stricter controls on how affiliated entities access and store personal data, along with clearer approval processes for external infrastructure such as cloud servers.
The company did not disclose whether regulators have been formally notified or whether penalties are under review. With more than 190,000 records involved across both scenarios, the case may draw attention from Japan’s data protection authorities.