On April 27, 2026, IG Securities (IG Japan) apologized for a data-handling failure that touched 162,879 clients. The exposed fields were not trivial: full names, dates of birth, residential addresses, phone numbers, and — most sensitively — My Number, Japan's national identification number. A subset of 29,734 clients had records stored on an offshore server operated by affiliate IG Markets Limited without IG Japan's approval. The firm says it found no evidence of any external leak, deleted the external data on March 5, and repatriated all My Number data to Japan-based systems by March 27, 2026 (Finance Magnates; FinanceFeeds).
On its own, this is an unglamorous compliance story: a contractor stored data where it shouldn't have, an internal access misconfiguration lingered, and the company caught and remediated it. But the incident lands in a specific national context that makes it worth more than a press-release footnote. Japan is in the middle of the worst fraud year on record, and the fraud that is growing fastest runs on exactly the kind of identity data that sits in a brokerage's My Number files.
The harm is downstream, on the messaging apps
The National Police Agency reported that combined losses from special fraud and social-media investment scams hit a record ¥324.11 billion (about US$2.1 billion) in 2025 across roughly 42,900 cases. Within that, "special fraud" — where criminals impersonate relatives, officials, or police — reached 27,758 cases, with roughly 70% of the losses coming from schemes in which fraudsters posed as police officers (BrokersView, citing NPA data).
This is the "digital arrest" playbook, already familiar in India and now entrenched in Japan. A target gets a call or a messaging-app contact — LINE, WhatsApp, or a video call — from someone claiming to be police. They are told they are implicated in a crime, shown a fake warrant bearing their own name, and pressured to stay on the line and move money to "clear" themselves. In one Hyogo Prefecture case, a man lost ¥2 million after being directed to a site mimicking the Tokyo Metropolitan Police homepage, where entering a case number produced a forged warrant with his name on it.
The mechanism that makes this work is plausibility. A scammer who already knows your full name, address, and date of birth — and can recite your My Number — is no longer a cold caller. They are an "officer" who has your file. That is why a brokerage's customer database is not just a privacy asset; it is raw material for the next impersonation script. The NPA itself stresses that real police never contact citizens over social media, never send warrant images, never initiate video calls, and never ask people to move money — precisely because the scammers do all four.
Steelman the strict-handling regime
It is fashionable in pro-innovation circles to treat data-localization and My Number handling rules as bureaucratic friction. The honest case for them is strong. A national ID number is a permanent, reusable credential: unlike a password, you cannot rotate your My Number after a leak. Japan's Personal Information Protection Commission (PPC) supervises every operator that handles "Specific Personal Information" relating to My Number, with powers of guidance, on-site inspection, recommendation, and order (PPC). Under Article 26 of the Act on the Protection of Personal Information, operators must report breaches likely to harm individuals to the PPC and notify the affected people (APPI, official translation). Given how directly leaked identity data feeds impersonation fraud, that elevated duty of care is proportionate, not theatrical.
But notice what actually went wrong — and what didn't
Here is where proportionate regulation should keep its eye on the ball. The IG Japan incident was not a hack. It was an internal governance failure: an affiliate spun up an unapproved offshore server, and access controls were misconfigured. The fix was also internal — delete, repatriate, tighten contractor oversight, restrict access to necessary personnel. No external attacker, no confirmed exfiltration.
That distinction matters for policy design. The temptation after every My Number incident is to bolt on more localization mandates and heavier prior-approval paperwork. Those rules would not have changed the outcome here, because the problem was that IG's own affiliate ignored the approvals that already existed. Compliance you don't enforce internally is not compliance. The proportionate response is sharper accountability for group-entity data governance and faster breach disclosure — not a new statutory layer that punishes the firms that self-report while doing nothing about the contractor discipline that actually failed.
Meanwhile, the regulation that would most reduce real harm is not about where the data sits, but about what criminals do with it downstream: faster interbank transfer freezes, mule-account takedowns, and platform-level friction on the messaging and video channels where digital-arrest scripts play out. Japan's police have started endorsing fraud-prevention apps; that is the right altitude. A breach with no external leak is a manageable governance problem. A ¥324 billion impersonation-fraud economy that monetizes leaked identities over WhatsApp and LINE is the systemic one — and it will not be solved by asking brokerages to fill out more forms about where their servers live.