Learning Crisis Management and the Role of Lawyers from the Information Leak at Keio University

Information leaks due to unauthorized access occur not only in companies but also in educational settings, although the response seems to be slightly different from that of companies.

In particular, when it comes to personal information, students and faculty members are the main focus, so when an information leak incident occurs, the disclosure of information tends to be limited to a certain range.

However, there is no difference between companies and schools in terms of personal information protection, and the basics of crisis management in information leaks are the same.

Therefore, this time, from the perspective of crisis management for incidents of personal information leakage due to unauthorized access, we will explain the points of crisis management system based on the response to the information leakage incident at Keio University Shonan Fujisawa Campus (hereinafter, Keio SFC).

Overview of the Information Leakage Incident at Keio SFC

The main details of the unauthorized access and subsequent information leakage that occurred at Keio SFC are as follows:

• Discovery of the leak: In the early hours of September 29, 2020, the possibility of information leakage due to unauthorized access to the class support system (SFC-SFS)※ was discovered.
  ※SFC-SFS is a system with functions such as mass emailing to enrollees, downloading of enrollee rosters, registration of reports and assignments, acceptance of submissions, registration of grades (comments), input and viewing of class survey comments, etc.
• Cause of the leak: The IDs and passwords of 19 system users were stolen, and a third party illegally used them to intrude into the system. The vulnerability of SFC-SFS is considered to be the main cause.
• Scope of the leak: Personal information of students and faculty members, etc. managed by the Shonan Fujisawa Campus.
• Content of the leak: In addition to “name”, “address”, “account name”, and “email address”, for students, “face photo”, “student ID number”, “credit acquisition information”, “date of admission”, etc., and for faculty members, “faculty member number”, “position”, “profile”, “personal email data”, etc. are included.
• Number of leaks: There is a possibility of information leakage in about 33,000 cases.

Discovery of Unauthorized Access and Initial Response

On September 15th at around 17:45, the IT department of Keio SFC confirmed signs of sporadic vulnerability scanning against the SFC-SFS system.

Furthermore, on the night of September 28th, suspicious access to the SFC-SFS system was detected. Upon investigation, the possibility of information leakage due to unauthorized access was confirmed in the early hours of September 29th.

Keio SFC initiated the following initial responses the day after confirming the vulnerability scanning, a precursor to unauthorized access:

• Requested all users to change their passwords (September 16th, September 30th)
• Continued monitoring of all authentication points and authentication logs (ongoing from September 16th)
• Limited login to the shared server from outside the school to public key authentication only (September 16th)
• Suspension of web services where vulnerabilities were confirmed and repair of vulnerable points【In progress】(Sequentially from September 16th, SFC-SFS on September 29th)
• Shutdown of the SFC-SFS system (September 29th)

About Keio SFC’s Initial Response

When unauthorized access is discovered, it is standard to establish a response headquarters and handle the initial response. In this case, it seems that the IT department, led by Mr. Kunio, the Chief Information Officer and Chief Information Security Officer of Keio University, functioned as the response headquarters.

What’s important in the initial response is to prevent the spread of damage and the occurrence of secondary damage by “isolating information,” “blocking the network,” and “stopping services.” However, in the case of Keio SFC, the system users are not unspecified but limited to students and faculty, so priority is given to changing passwords and limiting login methods.

However, it can be said that it was appropriate crisis management to start moving immediately after confirming the signs of unauthorized access, and to stop the SFC-SFS system on September 29th when the possibility of information leakage was confirmed.

One point of concern regarding Keio SFC’s initial response is whether they reported to supervisory authorities or the police after taking evidence preservation measures against the crime of unauthorized access. However, this cannot be confirmed as there is no description in press releases or media reports.

About Notification to Related Parties

Notifications to Keio SFC students and faculty were made in the form of business contact emails as follows, and it is believed that the first mention of personal information leakage was in the email of September 30th.

On September 29th, Keio SFC notified its staff that the SFC-SFS was being shut down due to a “serious trouble”.

On September 30th, all users of SFC-SFS were asked to change their passwords as there was a possibility that “user account information” had been leaked due to this trouble.

In addition, the staff was notified that classes would be suspended for a certain period of time because they could not contact students or select course registrants as planned due to the shutdown of SFC-SFS.

Upon hearing this information, J-CAST News conducted an interview and published an article titled “Serious Trouble with the Class System at Keio SFC, Start of Autumn Term Delayed by One Week,” making the leakage of “user account information” public.

On October 1st, Keio SFC announced on its website for students that the SFC-SFS was shut down on September 29th due to the possibility of unauthorized access, and that classes would be suspended from October 1st to 7th due to this impact. (※No mention of personal information leakage)

Press Release Following the Discovery of Information Leakage

The first public announcement regarding the personal information leakage due to unauthorized access was made on November 10th on our website.

We have discovered that the user IDs and passwords of 19 users (faculty members) of the Shonan Fujisawa Campus Information Network System (SFC-CNS) and the Class Support System (SFC-SFS) have been stolen by some means, and that unauthorized access from outside using these credentials and attacks exploiting vulnerabilities in the Class Support System (SFC-SFS) may have resulted in the leakage of personal information from the system. We deeply apologize for causing inconvenience and concern to all those involved due to this situation. At this point, no secondary damage has been confirmed.

Keio University “About Personal Information Leakage Due to Unauthorized Access to SFC-CNS and SFC-SFS”[ja]

This press release also included detailed information on the following matters:

• The content of the potentially leaked personal information
• The circumstances under which the leakage was discovered
• The cause of the leakage
• Response after discovery
• Current situation
• Preventive measures against recurrence

The above contents almost cover all the necessary items for public materials regarding information leakage.

About Keio SFC’s Press Release

Timing of the Press Release

Originally, Keio SFC should have made the announcement themselves first, but it is undeniable that it was late to announce it 41 days after the report from J-CAST News.

This is because in the case of personal information leakage, it is necessary to promptly notify the person whose personal information has been leaked in order to prevent secondary damage.

However, there is no problem if they informed the specific content of “user account information” at the time of the password change request on September 30th.

Alert for Fraud and Nuisance

In the press release after the discovery of information leakage, it is necessary to make a public announcement about the occurred information leakage, notify and apologize to the person if personal information has been leaked, and alert them to prevent damage from fraud and nuisance.

Even information within the closed campus can be misused if it leaks to the outside world, and in this case, it is necessary to alert against fraud and nuisance.

The Countermeasure Headquarters at the Heart of Crisis Response

Keio SFC describes the countermeasure headquarters in its press release on “Preventive Measures” as follows:

At Keio University, in light of this unauthorized access incident, we will promptly work on measures to prevent recurrence, such as security checks and improvements of web applications and systems, and review of personal information handling. In addition, we established a CSIRT (Computer Security Incident Response Team) within the university on November 1, 2020 (Gregorian calendar year), and we will build an organization that can comprehensively respond to cybersecurity while collaborating with external specialized institutions, and strive to further enhance security throughout the university.

Keio University “On the leakage of personal information due to unauthorized access to SFC-CNS and SFC-SFS”[ja]

It seems that the initial response to this incident was handled by Keio SFC’s internal organization acting as the countermeasure headquarters, but the “CSIRT” established on November 1, 2020, is an organization equivalent to the countermeasure headquarters that will be at the center of crisis response in case of future incidents and for strengthening security.

While the members of the CSIRT are unknown, not only system security measures but also simultaneous progress in contacting target users, reporting to supervisory authorities and police, media response, and consideration of legal responsibilities are necessary. Therefore, participation of the following external third-party organizations and experts is generally required:

• Major software companies
• Major security specialist vendors
• External lawyers with deep knowledge of cybersecurity

Summary

Even in cases like this one, where a personal information leak has been discovered in an educational setting, it is crucial to have appropriate ‘initial responses’ and ‘notifications, reports, and public announcements’ centered around a strategy headquarters, as well as subsequent ‘security measures’.

What is particularly required to be swift is not only the initial response, but also notifications and reports to the police and relevant government agencies, notifications (apologies) to the individuals involved, and public announcements at the appropriate timing.

However, if you make a mistake in the procedures or how to handle the situation, you may be held liable for damages. Therefore, we recommend that you proceed with the advice of a lawyer who has extensive knowledge and experience in cybersecurity, rather than making judgments on your own.

If you are interested in crisis management during the information leakage caused by Capcom’s malware, please see the article for more details.

https://monolith.law/corporate/capcom-information-leakage-crisis-management[ja]

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. Our firm conducts legal checks for various cases, ranging from companies listed on the Tokyo Stock Exchange Prime Market to venture companies. Please refer to the article below.