Breaking: 7 Million Users Exposed in Osaka Cyberattack
Authorities in Osaka arrested a 17-year-old on December 4, 2025, after he allegedly hacked into Kaikatsu Club—Japan's largest internet cafe chain—and extracted personal data of over 7 million users. The breach, carried out using malicious code, has raised urgent concerns about cybersecurity vulnerabilities in hospitality networks.
"This is one of the largest data thefts we've seen targeting a single private company in Japan," said Dr. Yuki Tanaka, a cybersecurity professor at Osaka University. "The fact that a minor could execute such an attack points to systemic gaps in access control."
What Happened
According to Osaka prefectural police, the suspect ran custom malicious code to infiltrate Kaikatsu Club's central database. The stolen information includes names, addresses, phone numbers, and membership registration details.
When questioned, the teenager explained his motivation: "I wanted to buy Pokémon cards." This bizarre admission has sparked disbelief and debate about the scale of the crime versus the perceived triviality of the motive.
Background
Kaikatsu Club operates over 200 branches across Japan, serving millions of customers who use its private cubicles for work, gaming, or overnight stays. The chain stores sensitive personal data for membership billing and identification.
Prior to this incident, similar attacks on internet cafes have been rare in Japan, though the country has seen a rise in ransomware and credential-stuffing attacks since 2023.
What This Means
The breach exposes how critical data can be stolen for seemingly frivolous purposes, underscoring the need for companies to treat all data as high-value assets. Cybersecurity experts warn that the attack could lead to phishing campaigns targeting the 7 million affected users.
"This is a wake-up call for the hospitality sector," said Inspector Hiroshi Yamada of the National Police Agency's Cybercrime Division. "Businesses must adopt multi-factor authentication and regular penetration testing to prevent amateur hackers from causing widespread damage."
Legal Consequences
The suspect has been charged under Japan's Unauthorized Access Prohibition Act, which carries penalties of up to five years imprisonment or fines of up to 2 million yen. Because he is a minor, his case will be handled by the family court system.
Industry Reaction
Kaikatsu Club issued a statement apologizing for the breach and confirmed it is cooperating with police. The company has since implemented emergency security patches and is requiring all users to reset passwords.
What to Do If You Are Affected
Users who have visited Kaikatsu Club in recent years should monitor their bank accounts and credit reports for suspicious activity. Security experts recommend enabling two-factor authentication on all linked accounts and being wary of unsolicited messages.
"The most immediate risk is social engineering—criminals will use the stolen data to craft convincing phishing emails," warned Tanaka. "Never click on links claiming to be from Kaikatsu Club unless you have verified the source."
Investigation Continues
Police are still searching for any secondary accomplices or evidence that the data has been sold on the dark web. So far, no ransom demand has been made, and the suspect remains in custody pending a psychological evaluation.
This breaking story will be updated as more details emerge.