Report on the investigation results and apology regarding the unauthorized Access incident
December 12, 2025
Regarding the case of unauthorized Access to our company's system, which was announced on Friday, August 29, 2025, we would like to report the results of the investigation we conducted in collaboration with external experts as follows.
As a result of this incident, it was confirmed that a third party had infiltrated our network and encrypted data on multiple servers and some computer terminals. Furthermore, an investigation by an external expert revealed that some of the personal information held by our company may have been leaked to an external party, but at this time, no damage has been confirmed.
We deeply apologize for the great concern and inconvenience caused to guests and other parties involved.
1. From discovery to initial response
On Friday, August 29, 2025, we confirmed that unauthorized Access had been made to part of our system and that some of the files on our servers, including our business management system, had been encrypted.
To prevent the damage from spreading, we immediately shut down the affected server and related systems and took emergency measures, including blocking the network.
We reported the incident to the Personal Information Protection Commission and the police on the same day, and began an investigation and recovery efforts by external experts.
2. Survey results
As a result of an investigation by external experts, it was discovered that a third party had illegally infiltrated the network via remote Access equipment used by our company, that encryption had been performed on multiple servers and computer terminals, and that some of the personal information held by our company may have been leaked to the outside, but no damage has been confirmed at this time.
3. Scope of personal information that may have been leaked
| Stakeholders |
Content etc. |
|---|---|
| guests information for approximately 1,499,300 people |
Name, date of birth, gender, address, telephone number, email address, etc. |
| Information on our executives and employees (including retirees) and their families: Approximately 37,300 people |
Name, date of birth, gender, address, telephone number, email address, My Number information, health check results, information about disabilities, etc. |
| Information on approximately 9,400 business partners |
Name, company name, address, telephone number, email address, My Number information, etc. |
*Credit card information is not held by our company, so there is no risk of it being leaked.
4. Information for applicable to guests and related parties
We will be sending individual notices to applicable to individuals in due course. If it is difficult to notify individuals individually due to unknown contact details, etc., we will use this announcement instead as a notice.
Please continue to be cautious about any unexpected phone calls or emails.
If you receive any suspicious contact, please contact the following inquiry desk.
5. Impact on guests and stakeholders and recovery status
Due to this issue, some systems have been affected,
・ Huis Ten Bosch official app Attractions time display will be suspended
・Restrictions on use of some ordering systems
However, all services will be restored by Wednesday, October 1, 2025.
6. Measures to prevent recurrence
We take this incident seriously and are implementing and strengthening the following initiatives.
- Redesign and tighten communication routes and purpose-specific communications
・Review of security policies and authentication methods for various accounts
- Strengthening device management policies
・Reconstruction of security monitoring system
・Reorganization of backup systems and business continuity plans (BCPs)
・Strengthening information security education for employees
7. Contact point
For inquiries regarding this matter, please contact the following office:
Huis Ten Bosch Co., Ltd. Personal Information Consultation Desk
[Telephone number] 0120-602-064
[Reception time] 9:00-17:00 *Excluding holidays (January 6th to January 9th, 2026)
8. Conclusion
We sincerely apologize for the great concern and inconvenience caused to guests and other parties involved. We will work together as a company to prevent a recurrence and restore trust.
End
Status of the unauthorized Access incident and progress of the investigation
As of 7:00 PM on Sunday, August 31, 2025
We have confirmed that our website was subject to unauthorized Access on Friday, August 29th.
Currently, some services are unavailable to guests.
<Services currently unavailable>
-Attractions time displayed on the Huis Ten Huis Ten Bosch app
・Receive receipts at some restaurants
<Investigation progress>
We have reported this to the Personal Information Protection Commission and the police, and are working with external specialist agencies to prevent the damage from spreading and to investigate the extent of the damage.
We deeply apologize for the great concern and inconvenience caused to all concerned parties and guests.
Notice of unauthorized Access incident
August 29, 2025
Huis Ten Bosch Co., Ltd. would like to inform you that unauthorized Access to our system was confirmed on August 29, 2025.
We are currently investigating the details, and we sincerely apologize for the great concern and inconvenience caused to everyone.