Unstoppable Personal Information Leaks, a 1.5-Fold Increase in Reiwa 5 (2023) Compared to the Previous Year: Explaining the Latest Trends

In recent years, the sophistication of cyber-attacks and the increase in personal data breaches due to human errors have become a serious issue for businesses. Such breaches can lead to significant damages for companies, including reputational harm, litigation risks, and even business suspension.

This article provides an analysis of the trends in personal data breach cases based on the annual report for the year Reiwa 5 (2023) published by the Japanese Personal Information Protection Commission. Use this article as a reference to strengthen your company’s information security measures and prevent potential leakage risks.

What is the Annual Report of the Personal Information Protection Commission?

Under the amended Japanese Personal Information Protection Act, which came into effect in April of Reiwa 4 (2022), personal information handlers are required to report to the Personal Information Protection Commission (PPC) via its website in the event of a personal information breach or similar incident, provided that certain conditions are met.

The Personal Information Protection Commission published its annual report for Reiwa 5[ja] in June of Reiwa 6 (2024).

Related article: What are the Key Points of the Reiwa 6 (2024) Amendment to the Personal Information Protection Act? Explaining the Changes and Measures You Should Know[ja]

Supervision of Personal Information Handlers

In the fiscal year of Reiwa 5 (2023), there were 12,120 reported cases of data breaches and related incidents, which represents a significant increase compared to the 7,685 cases reported in the previous fiscal year. Let’s take a closer look at the specifics.

Status of Handling Incidents Involving Data Breaches and Similar Issues

Among the reported incidents, there were 11,635 cases (96.0%) involving breaches affecting fewer than 1,000 individuals per incident, and 61 cases (0.5%) involving breaches affecting more than 50,000 individuals.

In incidents directly reported to the committee, the most common type of information breached was customer information (83.5%). When looking at the form of the breached information, paper-based breaches (82.0%) were more prevalent than those involving electronic media (12.2%).

According to the classification based on the reporting obligations set by the Japanese Personal Information Protection Law and the Enforcement Regulations for the Law Concerning the Protection of Personal Information (Enforcement Regulations), the most common breaches involved sensitive personal data, such as medical history and race (89.7%). This was followed by breaches of personal data that could have been accessed or used for illicit purposes (8.1%).

The factors contributing to this trend, considering that the majority of the causes of breaches were due to human errors such as incorrect deliveries, misdirected mailings, improper disposal, and loss (totaling 86.3%), suggest that many incidents involved sensitive personal data that requires reporting even if only one individual is affected. This includes paper-based data breaches, such as the incorrect issuance of medical billing statements in healthcare institutions.

In response to these reports, the Japanese Personal Information Protection Commission has verified whether notifications to the individuals concerned (as per Article 26, Paragraph 2 of the Personal Information Protection Law) were appropriately conducted, whether the causes of the breaches were properly identified and analyzed, and whether the measures listed for preventing recurrence were appropriately addressing the causes. Where necessary, the Commission provided information on methods for analyzing causes and considering measures to prevent recurrence.

Status of Reporting, Guidance, and Advice

A total of 73 reports were collected, and 333 instances of guidance and advice were provided to personal information handlers and related entities.

The following are cited as significant cases:

• A case where a general electricity distribution company’s group company or its own retail division, a related retail electricity business operator, accessed and used the information of new power customers that the distribution company held.
• A case involving the use of an account ID and password assigned to a general electricity distribution company by related retail electricity business operators to access and use personal information within the ‘Renewable Energy Business Management System’ managed by the Agency for Natural Resources and Energy.
• An incident where Toyota Motor Corporation had entrusted the handling of personal data related to vehicle user services to its subsidiary, Toyota Connected Corporation, and the personal data managed on the company’s server was accessible from outside.
• A case where the Independent Administrative Institution National Hospital Organization, a medical information handler under the Act on Anonymously Processed Medical Information to Contribute to Medical Research and Development (Japanese Law No. 28 of 2017), leaked patient medical information.
• Cases where three opt-out notification business operators violated the provisions of the Personal Information Protection Law.
• A case where NTT DOCOMO, Inc. had outsourced customer information management for telephone sales to NTT Nexia Corporation, and a temporary employee of Nexia accessed a personal cloud service without authorization from a PC used for work, uploading personal data of approximately 5.96 million individuals, leading to a potential data breach.
• A case where a tutor at Yotsuya Otsuka Corporation, a company that operates a middle school preparatory school, searched and viewed personal data of elementary school students attending the school, recorded it on a private smartphone along with photos and videos of the students, and posted the personal data of six individuals on their personal SNS account, resulting in a leak.
• A case where MK System Corporation’s server was subjected to unauthorized access, and personal data managed on the system was encrypted by ransomware, creating a risk of data breach.
• A case where the GUID (internal identifier) of auction sellers on Yahoo! Auctions could be viewed by third parties if certain commands were entered on specific product pages, creating a risk of personal data leakage.

In response to these cases, guidance based on Article 23 of the Personal Information Protection Law was provided, and some entities were requested to report on the implementation status of measures to prevent recurrence.

Advisory Status

Three advisories have been issued to entities handling personal information. The following summaries are provided.

In the case involving a data breach where an individual affiliated with NTT Business Solutions Corporation, who was engaged in system maintenance and operation, and was subcontracted by NTT Marketing Act ProCX—a company that operated a call center business on behalf of private enterprises, independent administrative agencies, and local public organizations—illegally removed personal data of approximately 9.28 million customers or residents, both companies were advised to take necessary measures to correct violations of Article 23 of the Japanese Personal Information Protection Act (2003).

At LINE Yahoo Japan Corporation, an incident occurred where personal data related to LINE users, business partners, and employees was leaked following unauthorized access to the information system, triggered by a malware infection on a PC used by an employee of a subcontracted Korean security maintenance company. The company was advised to take necessary corrective measures for violating Article 23 of the Japanese Personal Information Protection Act (2003), and was requested to report on the status of improvements, including the implementation of measures to prevent recurrence.

Monitoring of Administrative Agencies and Similar Entities

Under the Japanese Personal Information Protection Law, monitoring has been conducted on administrative agencies and similar entities.

Status of Handling Reports on Personal Information Breaches

In the context of monitoring administrative agencies and similar entities, 1,159 cases of personal information breaches were processed. Of these, 162 reports were from national administrative agencies and 997 from local public entities.

Most reported cases, as in the previous year, involved breaches of personal information that included sensitive personal data (national administrative agencies: 61.1%, local public entities: 80.3%). Following this, there were breaches involving personal information of more than 100 individuals (national administrative agencies: 31.5%, local public entities: 18.8%).

The majority of the causes were attributed to so-called human errors such as incorrect deliveries, misdirected mailings, improper disposal, and loss (national administrative agencies: total 6.8%, local public entities: total 78.8%). System misconfigurations and other related issues were the next most common causes (national administrative agencies: 22.8%, local public entities: 17.7%).

The number of individuals affected by each incident was most often less than 1,000 (national administrative agencies: 93.2%, local public entities: 96.7%). The most frequently leaked information pertained to citizens and similar parties (national administrative agencies: 78.4%, local public entities: 91.1%). As for the form of the leaked information, paper-based materials were the most common (national administrative agencies: 58.0%, local public entities: 76.8%).

Requests for Documentation, On-Site Inspections, Guidance, and Advice

To verify compliance with the guidelines of the Japanese Personal Information Protection Law and the Law Concerning the Protection of Personal Information (for administrative agencies and similar entities), 65 planned on-site inspections were conducted. These inspections led to guidance for improvements in the proper handling of personal information and requests for documentation on the instructed matters.

In addition to on-site inspections, 73 instances of guidance and advice were provided, such as demanding thorough measures to prevent recurrence of inadequate safety management measures upon receipt of reports of personal information breaches.

• An incident where the Renewable Energy Business Management System, managed by the Agency for Natural Resources and Energy, had its assigned accounts’ IDs and passwords used by related retail electricity businesses to access and use personal information within the system.
• An incident in the town of Noheji, Aomori Prefecture, where a USB drive containing personal information such as names, birthdates, health examination results, and COVID-19 vaccination records of most town residents was lost, raising the risk of a data breach.
• An incident where two teachers from two high schools under the jurisdiction of the Nagano Prefectural Board of Education fell victim to support fraud. Following the attacker’s instructions, they installed remote access software on their school PCs without authorization, potentially leading to a breach of personal information of students and staff.

In response to these incidents, guidance based on Article 66, Paragraph 1 of the Japanese Personal Information Protection Law was provided to address insufficient responses to safety management issues. For the incidents in Aomori and Nagasaki Prefectures, documentation was also requested to verify the implementation of measures to prevent recurrence.

Summary: Personal Information Breach Incidents Reach an All-Time High Since Reporting Began

Since the amendment in Reiwa 4 (2022), reporting to the Japanese Personal Information Protection Commission has been mandatory. However, the number of reports in Reiwa 5 (2023) reached 12,120 cases, which is an approximate 58% increase from the previous year, marking the highest number since reporting became a duty of effort in Heisei 25 (2013).

When it comes to handling personal information, if measures are mishandled and a breach occurs, such incidents will be published on the website of the Japanese Personal Information Protection Commission, potentially leading to damage to the corporate brand and a loss of social credibility. We recommend consulting with a lawyer regarding the handling and operation of personal information to prepare and respond appropriately in advance.

Guidance on Measures by Our Firm

Monolith Law Office is a law firm with extensive experience in IT, especially in both the internet and legal fields. Recently, the leakage of personal information has become a significant issue. In the event that personal information is leaked, it can have a critical impact on corporate activities. Our firm possesses specialized knowledge in preventing and responding to information leaks. Details are provided in the article below.

Areas of practice at Monolith Law Office: Japanese Personal Information Protection Law-related legal services[ja]