June 16, 2026
To All Users of Our Services,
We are writing to inform you that, we identified an issue where user data registered in the user management systems (i.e., a Microsoft Entra ID Guest Group and Box Shared Folders (collectively, “the Relevant Systems”)) was unintentionally made accessible to other users registered in the Relevant Systems. The Relevant Systems are utilized when inviting external users to use Komatsu Ltd.’s (“Komatsu”) various applications, participate in online meetings, and share files. The user data included users’ names, email addresses, user types and access dates and times. We sincerely apologize for any inconvenience and concern this may have caused.
We explain the details of the issue identified to date, recommended actions, and preventative measures we will take below.
1. Overview of the Issue
On April 23, 2026, a user registered in the Microsoft Entra ID Guest Group contacted us to report that other users’ data registered in the system could be viewed. We immediately initiated an internal investigation and confirmed that, due to a configuration issue of the system, registered users in the system were able to view other users’ data within that same system. Subsequently, on May 12, 2026, we confirmed a similar issue for Box Shared Folders.
Upon discovery of the issues, we promptly changed the relevant settings to prevent registered users from viewing other users’ data.
Please note that user data was not accessible to the general public over the internet.
2. Types of Data Involved
The user data that was accessible is as follows:
(1) Microsoft Entra ID Guest Group
• Affected users: Users registered in the Microsoft Entra ID Guest Group
• Types of data: Name, email address, user type (displayed as “Guest” for most users)
• Number of affected registered users: 139,302
• Time frame: The settings for the Microsoft Entra ID Guest Group remained in place from around 2021 until April 27, 2026
(2) Box Shared Folders
• Affected users: Users registered in the Box Shared Folders
• Types of data: Name, email address, user type (displayed as “User” for most users), access date and time
• Number of affected registered users: 1,457
• Time frame: The setting for Box Shared Folders remained in place from around April 2026 until May 19, 2026
All recipients of this notice were registered in both the Microsoft Entra ID Guest Group and the Box Shared Folders, and user data was therefore accessible in both systems. Please note that all users registered in the Box Shared Folders were also registered in the Microsoft Entra ID Guest Group. Therefore, the number of affected registered users stated under (2) above is included in the number of affected registered users stated under (1) above.
Please note that the user data involved was only viewable among other registered users in the Relevant Systems and there was no function to download the relevant user data in bulk.
3. Recommended Actions to Users
At this stage, we have not discovered any secondary misuse of user data resulting from the issue. However, there is a possibility that suspicious emails impersonating us, our affiliates, or others may be sent in the future. We ask that you exercise caution.
4. Preventive Measures
Access to other users’ data within the Relevant Systems has already been disabled. Going forward, we will establish procedures to ensure that user lists are hidden by default when inviting and registering external users in the Relevant Systems. We will also further reinforce internal awareness regarding the importance of personal information and ensure its proper handling going forward.
5. Contact for Inquiries
Komatsu Ltd.
E-mail address: JP00MB-privacy@global.komatsu
No : 0030(3443)
Corporate Communications Department
Sustainability Promotion Division
Komatsu Ltd.
tel: +81-(0)3-6849-9703
mail: JP00MB_cc_department@global.komatsu
*The information may be subject to change without notice.
