Trends in Personal Information Leaks and Loss Incidents in 2019

According to Tokyo Shoko Research, in 2019, 66 listed companies and their subsidiaries announced incidents of personal information leakage or loss. The number of incidents reached 86, and the leaked personal information amounted to 9,031,734 individuals. In 2019, there were two major incidents where more than 1 million pieces of personal information were leaked. The payment service ‘7pay’ introduced by the retail giant Seven & I Holdings was forced to discontinue due to fraudulent use, highlighting the importance of security measures once again.

Case of “Takufile-bin”

On January 22, 2019, a data breach was discovered in the file transfer service “Takufile-bin”, operated by OGIS Research Institute, a wholly-owned subsidiary of Osaka Gas. Suspicious files were found on the server, and further investigation revealed suspicious access logs. To prevent further damage, the service was suspended on the 23rd, and the first report was released. The data breach was confirmed on the 25th.

The number of leaked cases was 4,815,399 (22,569 paid members, 4,753,290 free members, and 42,501 former members). The leaked information included names, email addresses for login, login passwords, dates of birth, gender, occupation/industry/job type, and names of prefectures of residence. This number of leaked cases is the second highest in history, following the unauthorized acquisition of personal information of 35.04 million individuals by a contracted employee at Benesse in 2014.

https://monolith.law/corporate/risk-of-company-personal-information-leak-compensation-for-damages[ja]

Subsequently, OGIS Research Institute considered recovery while inspecting and strengthening security. However, as the prospect of system reconstruction was not established, it was announced on January 14, 2020, that the service would be terminated on March 31, 2020.

If you used the same email address and login password registered with “Takufile-bin” for other web services, there is a risk of unauthorized login to those web services by third parties who obtained the leaked information, or so-called “impersonation” access.

The Case of Toyota Mobility

On March 21, 2019, Toyota Mobility, a sales subsidiary of Toyota Motor Corporation, was subjected to a cyber attack. It was announced that a total of eight related sales companies with a common system infrastructure were targeted, and there was a possibility that up to 3.1 million pieces of personal information leaked from the network server. Fortunately, it has been announced that credit card information has not been leaked, so the possibility of directly leading to financial trouble may be low. However, since it is information about customers who purchased cars, it may be traded at high prices among list brokers, and the damage may not be limited.

Despite having obtained the Privacy Mark (P-Mark), Toyota Mobility has faced this issue of personal information leakage, forcing it to make important choices in future security measures. Also, this personal information leakage proves that it could not be prevented with the previous security measures. It will be necessary to realize a management system for personal information protection at a higher level than the security system that has obtained the Privacy Mark (P-Mark).

As was the case with Benesse, if the future management system for personal information protection is judged to be insufficient, there is a possibility of losing the Privacy Mark (P-Mark). If the Privacy Mark (P-Mark) is lost, there is a risk of losing credibility, which would be a major problem.

The Case of “7pay”

The payment service “7pay” introduced by Seven & i Holdings was launched on July 2, 2019. The very next day, users reported unauthorized transactions. An internal investigation conducted on July 3 revealed fraudulent use of the service.

Immediately, all charges from credit and debit cards were temporarily suspended. From July 4, new registrations for the service were also temporarily halted, and all charges were suspended on the same day.

The number of victims of unauthorized access was reported to be 808, with a total loss of 38,615,473 yen. The method of unauthorized access was likely a list-based attack. This type of attack involves mechanically inputting IDs and passwords that have been leaked online from other companies in the past. It is said that this method was attempted tens of millions of times, with the number of successful logins exceeding the 808 cases of fraudulent use. The reasons for not being able to prevent list-based account hacking include insufficient measures against logins from multiple devices, insufficient consideration of additional authentication such as two-step verification, and the inability to fully verify the optimization of the entire system.

On August 1, Seven & i Holdings held an emergency press conference in Tokyo and announced that “7pay” would be terminated at 24:00 on September 30. The reasons for discontinuing the service are as follows:

• It is expected that a considerable amount of time will be needed to complete a thorough response to resume all services, including charging, for 7pay.
• If the service were to continue during this period, it would have to be in an incomplete form of “payment only”.
• Customers still have concerns about the service.

The incident, which forced an unusually rapid withdrawal, exposed the laxity of Seven & i Holdings’ cybersecurity awareness and the poor coordination within the group. The stumble of a major distributor has led to concerns about the government-promoted cashless payment system.

The Case of Uniqlo

On May 10, 2019, it was confirmed that unauthorized logins by parties other than the users themselves had occurred on the online store site operated by Uniqlo.

From April 23 to May 10, the number of accounts that were illegally logged in using list-based attack methods was reported to be 461,091, registered on the Uniqlo official online store and GU official online store. The potentially viewed personal information of users included name, address (postal code, city, town, village, house number, room number), telephone number, mobile phone number, email address, gender, date of birth, purchase history, name and size registered in “My Size”, and part of the credit card information (cardholder’s name, expiration date, part of the credit card number).

While the source of the attempted unauthorized login was identified and access was blocked, and monitoring was strengthened for other accesses, the user IDs that may have had their personal information viewed had their passwords invalidated on May 13. Individual contacts were made by email to request password resets, and the Tokyo Metropolitan Police Department was notified about this case.

This case is personalityized by the leakage of not only basic personal information such as name, address, telephone number, mobile phone number, email address, and date of birth, but also privacy information such as purchase history and name and size registered in “My Size”. It is an unpleasant and anxiety-inducing incident.

https://monolith.law/reputation/personal-information-and-privacy-violation[ja]

Case of Kanagawa Prefectural Government

On December 6, 2019, it was revealed that information, including administrative documents containing personal information, had been leaked due to the resale of HDDs (Hard Disk Drives) used at the Kanagawa Prefectural Government. Fujitsu Lease, which has a lease contract with Kanagawa Prefecture for servers and other equipment, removed the HDDs from the leased servers in the spring of 2019 and entrusted their disposal to a recycling company. An employee of the company took out some of the HDDs and resold them on Yahoo Auctions without initializing them. A man who runs an IT company bought nine of these and found data that appeared to be official documents of Kanagawa Prefecture when he checked the contents. He provided this information to a newspaper company, which confirmed with the prefecture, revealing the leak.

According to the prefecture’s announcement on the morning of the 6th, a total of 18 HDDs were taken out, nine of which have been recovered, and the remaining nine were also recovered later. The leaked data included tax notices with personal and corporate names, notifications after tax investigations with corporate names, tax payment records for automobile taxes with personal names and addresses, corporate submission documents, and personal information such as work records and lists of prefectural employees. Since each of the taken HDDs has a storage capacity of 3TB, a maximum of 54TB of data may have been leaked from the 18 drives.

The Kanagawa Prefecture made basic mistakes such as:

• Not sufficiently considering hardware-level encryption for file servers where administrative documents are stored, and storing data in raw format
• Although it is supposed to erase all data with initialization work when returning equipment with important information to the leasing company, it did not receive certificates of completion, etc.
• Allowing a recycling company, which the person in charge did not even know, to pick up leased equipment

Similarly, Fujitsu Lease made basic mistakes such as:

• Completely outsourcing equipment disposal (recycling) to a recycling company
• Although the lease contract required them to submit a certificate to the prefecture showing that the data had been completely erased, they did not request the recycling company to issue the certificate

There is no need to discuss the recycling company.

The lack of a sense of crisis about security and the irresponsible outsourcing mentality common to the three involved organizations seem to have resulted in such a sloppy outcome.

https://monolith.law/corporate/act-on-the-protection-of-personal-information-privacy-issues[ja]

Other Cases of Unauthorized Access

Accidents caused by unauthorized access, which cause extensive damage and have a wide-ranging impact, are increasing year by year. In 2019, there were a record 41 cases (involving 32 companies) in the eight years since Tokyo Shoko Research began its investigations. This accounted for nearly half of the 86 cases of information leaks and loss incidents in 2019, with the number of leaks and losses amounting to 8,902,078 cases, or 98.5% of the total for 2019 (9,031,734 cases). In addition to the examples mentioned above, many cases of unauthorized access were revealed in 2019, including the following examples.

Case of an Automobile Accessories Sales Company

On February 26, an unauthorized access occurred at the online shop operated by Hase-Pro Co., Ltd., a company that sells automobile accessories. The site’s vulnerability was exploited, and a fake payment screen was displayed. As a result, the credit card information entered by users was leaked.

Case of “Dental Book Dot Com”

On March 25, an unauthorized access occurred on the web server of “Dental Book Dot Com”, operated by Quintessence Publishing Co., Ltd., a specialized dental publisher. This resulted in the leakage of personal information of site users. For customers who used credit card payments, credit card information including security codes was also leaked. In addition, up to 23,000 pieces of personal information, including users of dental job recruitment sites and the Japanese International Dental Conference, were leaked.

Case of the “Nanatsuboshi Gallery”

On April 12, an unauthorized access occurred on the “Nanatsuboshi Gallery”, an online store selling related products of the Kyushu Railway Company’s cruise train “Nanatsuboshi in Kyushu”. As a result, personal information including customer’s credit card details was leaked. It was announced that there is a possibility that the security code is also included in the 3,086 members who registered their credit card information, and there is also a possibility of information leakage for 5,120 cases including members who have not registered card information and other users who used the site.

Case of the Survey Monitor Service “An and Kate”

On May 23, an unauthorized access exploiting server vulnerability occurred at the survey monitor service “An and Kate”, operated by Marketing Applications Inc. Personal information from 770,740 registered accounts was leaked. It is reported that the leaked information included details such as email addresses, gender, occupation, place of employment, and bank account-related information.

Case of “Yamada Webcom Yamada Mall”

On May 29, an unauthorized access occurred on “Yamada Webcom Yamada Mall”, operated by Yamada Denki Co., Ltd. The payment application was tampered with, and during this period, up to 37,832 customer records that were registered were leaked.

In the Case of AEON Card

On June 13, unauthorized logins due to password list attacks occurred on AEON cards issued by AEON Credit Service Co., Ltd. It was confirmed that unauthorized logins were possible on 1917 accounts, and among them, unauthorized logins occurred on 708 accounts. It was announced that fraudulent use damage amounting to approximately 22 million yen had occurred. The attackers are believed to have illegally obtained user account information by launching a password list attack on the official site “AEON Square”, changed the contact information to another one using the registration information change function of the official app, and used funds through the payment linkage function.

Case of Sumitomo Mitsui Card’s “Vpass App”

On August 23, Sumitomo Mitsui Card Co., Ltd. announced that there is a possibility that up to 16,756 customer IDs on their member-oriented smartphone app, “Vpass App,” may have been illegally accessed. The unauthorized access was confirmed through the company’s regular monitoring survey. Upon investigating the cause, it was found that the majority of about 5 million login attempts were not registered with the service, leading to the conclusion that it was a password list type attack.

Case of Mizuho Bank’s “J-Coin Pay”

On September 4, Mizuho Financial Group Inc. (Mizuho Bank) announced that a test system involved in the management of “J-Coin Pay” service providers had been illegally accessed, resulting in the leakage of 18,469 pieces of J-Coin affiliated store information.

Case of “10mois WEBSHOP”

On September 19, Ficelle Ltd., announced that their online shop “10mois WEBSHOP” had been illegally accessed. As a result, 108,131 pieces of customer personal information and 11,913 pieces of credit card information, including security codes, were leaked.

Case of the Official Website of Kyoto Ichinoden

On October 8, the official website of Kyoto Ichinoden Co., Ltd., known for its Nishikyo pickles, was illegally accessed and its payment form was tampered with. As a result, 18,855 credit card details, including security codes, and 72,738 pieces of member information and shipping history were leaked.

Case of “Shopping with Zojirushi”

On December 5, Zojirushi Corporation announced that their online store “Shopping with Zojirushi” may have been subjected to unauthorized access, potentially leading to the leakage of up to 280,052 customer records. The cause of the unauthorized access is believed to be a vulnerability within the site, and the company has suspended the operation of the shopping site since December 4.

Case of the Electronic Novel Service “Novelba”

On December 25, an unauthorized access occurred on “Novelba”, an electronic novel service operated by Beaglee Inc., resulting in the leakage of 33,715 pieces of personal information, including registered users’ email addresses. In addition, there is a possibility that account information of 76 users who were registered in the reward program also leaked, raising the potential for secondary damage.

Summary

Appropriate measures to prevent information leakage and loss are becoming a critical issue for all organizations and companies handling personal information. Particularly for small businesses, which have fewer financial and human resources compared to listed companies, a leakage incident could potentially cause fatal damage to their management. Therefore, it is essential to address security measures and the establishment of information management systems. With the backdrop of utilizing big data, the importance of personal information is increasing. At the same time, advanced and sophisticated security measures against unauthorized access and strict information management have become crucial prerequisites for risk management.