The news that the Japan Pensions Service had been hit by a significant cyber attack has made headline news.
The Pensions Service has a checkered past, causing a national unrest when in 2007, it was revealed that 50 million premium payers might not actually be record-matched to an actual citizen in the system.
Now, the massive data leak resulting from the hack has set citizens panicking once more, a panic made all the more intense by the fact that next year Japan will switch to a system that registers citizens’ social security and tax details through a single number for linked electronic records.
Netizens are surprised that such a hack on a public organization that stores the details of millions of citizens was even possible.
From Yahoo! Japan:
Personal Details Of 1,250,000 Files Leaked After Cyber Attack On Worker’s Computer Terminal — Pensions Service
On June 1, the Japan Pensions Service announced that a worker’s computer terminal had suffered a cyber attack, and personal information from around 1,250,000 files had been leaked externally. All of the files contain the pension holder’s name and basic pension number, while around 52,000 of the files also contained the pension holder’s address. 550,000 of the files did not have passwords set, going against internal rules. Chairman of the Japan Pensions Service, Mizushima Toichiro, apologized for the leak, saying “I feel a grave responsibility in all of this. I will put all my efforts into dealing with it”.
Prime Minister Abe told a group of journalists: “These are the precious pensions of the Japanese people. I have told the Minister of Health, Labor and Welfare to do everything we can”. Shiozaki Yasuhisa, the Minister of Health, Labor and Welfare told journalists at a press conference that “We deeply regret that we were unable to avoid this malicious attack”, and revealed that the ministry would carry out an inquiry.
According to the Pensions Service, a computer terminal was infected with a virus when a member of staff opened a file attached to an e-mail, and “and began a strange communication”. The service requested the help of an outside security firm, but it appeared that there were other members of staff who also opened the attachment, and on May 18 another instance of unauthorized access was detected. On the next day, May 19, the service asked the Metropolitan police to investigate, and on May 28 police informed them of the information leak.
According to the Tokyo Metropolitan Police Department Public Security Bureau, it is likely that the attack is in violation of Anti-Hacking Laws and constitutes an unauthorized command to use electromagnetic records. An invesigation has been started.
The data that has been leaked is broken down as follows: (1) Basic pension number and name in around 31,000 cases; (2) Number, name, and date of birth in around 1,167,000 cases; (3) Number, name, date of birth, and address in around 52,000 cases. Furthermore, there is the possibility that the number of cases will continue to rise.
Pensions Service internal rules stipulate that when data, including personal information, are stored on a computer terminal, they must have passwords set and viewing the file externally is restricted. However, around 550,000 files did not have passwords set, and therefore this is a violation of internal rules.
In order to limit the damage caused by the attack, the Pensions Service has cut Internet access for all offices within the Service. Unauthorized access to the key system that handles pension savings amounts and work history of pension holders has not been confirmed, but an investigation is continuing.
From June 2, in the case that there are various procedures for pension holders whose details have been leaked, their identities will be thoroughly checked by the Pensions Service. The persons concerned will also have their basic pension numbers changed to prevent identity fraud.
As well as contacting each pension holder personally to apologize, the Pensions Service has also set up a dedicated helpline for those who have recieved suspicious communications. The telephone number is freedial (0120) 818211.
Comments from Yahoo! Japan:
篠原 修司:
According to the Metropolitan Police, this year there has been a sharp increas in the number of phising e-mails targeting people in the Pensions Service, a 3.5 times increase when compared with last year (492 → 1,723).
In 82% ofcases, the phishing e-mails were pretending to be a job-related communication, and 96% of them were sent with compressed file attachments.
When the compressed file is unzipped, an executable file appears, and if the user runs the file, their computer becomes infected.
It is thought that attacks like this, which target corporations and public organizations, will increase when the “My Number” social security and tax number system begins, and if we are to introduce the “My Number” system then much more security education will be necessary to remove human error.
Moreover, it is thought that from now on there will be a lot of fraud that uses this recent news, so please take sufficient care.
藤田孝典:
Because in an aging society our key consumers are the elderly, corporations’ access to information with the elderly in mind is increasing by the day.
Sales of health foods, fee-paying retirement homes, and programs for burials and funerals are escalating, and elderly people who suffer consumer issues remain rife.
Information such as addresses, ages, and pension totals of elderly people has a high value and can be traded.
Because of this, those who work in social security also handle personal information sensitively.
I hope that they pay utmost attention that this information does not get used to malicious ends.
haw*****:
There is no bright side to news about pensions.
yuk*****:
What happened to their security strategy?
It seems like they might only have realized this happened because of an indication from an outside organization.
uzi*****:
As things are, this “My Number” thing ain’t gonna work, it links to even more important information.
axl*****:
With security like this, are they really going to be able to do the “My Number” system from next year? Doesn’t that just mean that even more personal information is going to be leaked?
ano*****:
Wow, 1250000 people….
I wonder who did the attack, and why…
nan*****:
As someone who is going to submit the documents for the “My Number”system, I can only feel unease.
loi*****:
The fact that they can attack so easily means that they can probably doctor the information too, doesn’t it?
mic*****:
We know that it was a computer terminal of a member of staff, but which member of staff operated it? Who gave the order? How was the information they got from using the terminal used? If they don’t reveal everything, then we can’t deny the possibility that this was an inside job. Simply put, if you have such a weak system that it can’t withstand a cyber attack, then the responsibility lays with those who operate the system.
dok*****:
Wasn’t it a member of staff take who leaked the personal information outside? w
wrt*****:
There’s stuff like this happening all the time in the Pensions Service, the office loses records, they’re subject to cyber attacks, etc. I hope that they don’t say next that they’re been hit by a cyber attack, shut down, and lost all the records.
den*****:
With the way things are, I’ll be pretty worried if they actually introduce the “My Number” system. You just can’t trust it. I wish they’d cancel the whole thing.
ato*****:
Even when they make an announcement, they don’t take responsibility do they? They don’t even have to worry about going out of business or that their share price will drop.
yut*****:
Isn’t it just now a matter of time before data leaks happen with the “My Number” system?
Will it really be OK?
Doesn’t it kinda seem that the more convenient things get the less safe they are?
Or is that just me?
cro*****:
This is probably a warning as to what will happen with “My Number”.
They’re too soft on security, there’s no way they’ll manage it.