MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

IT

【Breaking News】The Number of Recognized Unauthorized Access Incidents in Reiwa 5 (2023) Triples in One Year

IT

【Breaking News】The Number of Recognized Unauthorized Access Incidents in Reiwa 5 (2023) Triples in One Year

On March 14, 2024, the National Police Agency, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry published the “Incidents of Unauthorized Access”[ja] that occurred between January 1 and December 31, 2023.

This publication is based on the provision of the Japanese Act on Prohibition of Unauthorized Computer Access (Unauthorized Access Prohibition Act), which states, “The National Public Safety Commission, the Minister of Internal Affairs and Communications, and the Minister of Economy, Trade and Industry shall, at least once a year, publish the status of incidents of unauthorized access and the status of research and development related to access control functions of specific computers with access control features, to contribute to the defense against unauthorized access activities” (Article 10, Paragraph 1). This is an annual press release by the three ministries every March.

Here, we will explain the situation of unauthorized access in 2023 (Reiwa 5) based on the press release “Status of Incidents of Unauthorized Access and the Status of Research and Development on Access Control Functions”.

Incidents of Unauthorized Access

Incidents of Unauthorized Access

In 2023, the National Police Agency reported 6,312 incidents of unauthorized access, a significant increase of approximately 186.9% or 4,112 cases from the 2,200 cases in 2022, marking the highest number in the past five years.

This surge is primarily due to the dramatic increase in “fraudulent transfers and other unauthorized transactions in internet banking,” which jumped from 1,096 to 5,598 cases.

Looking at the overall breakdown of incidents following unauthorized access, “fraudulent transfers and other unauthorized transactions in internet banking” accounted for the majority with 5,598 cases, followed by “unauthorized acquisition of information such as email snooping” (204 cases), “fraudulent purchases in internet shopping” (93 cases), and “unauthorized manipulation of online games and community sites” (83 cases).

In 2023, the number of arrests and individuals apprehended for violations of the Japanese Unauthorized Access Prohibition Law was 521 cases and 259 individuals, respectively, showing a slight decrease of one case and an increase of two individuals compared to the previous year, remaining relatively stable.

The age group with the highest number of suspects was “20-29 years old” (103 individuals), followed by “14-19 years old” (73 individuals), and “30-39 years old” (53 individuals). Additionally, nine juveniles under the age of 14 were taken into custody for violations of the Japanese Unauthorized Access Prohibition Law, but they are not included in the count of arrests and apprehended individuals due to their age.

Among those apprehended or arrested, the youngest was 11 years old, and the oldest was 61 years old.

Source: Ministry of Internal Affairs and Communications | Situation of Unauthorized Access Incidents and Research and Development of Access Control Technology

Status of Arrests for Violations of the Unauthorized Computer Access Law

The Unauthorized Computer Access Law prohibits and penalizes:

  • Prohibition of unauthorized access activities (Article 3)
  • Prohibition of illegally acquiring someone else’s identification code (Article 4)
  • Prohibition of acts that encourage unauthorized access activities (Article 5)
  • Prohibition of illegally storing someone else’s identification code (Article 6)
  • Prohibition of illegally requesting input of someone else’s identification code (Article 7)

Identification codes typically refer to “ID & Password.”

In 2023, the number of arrests and individuals arrested for violations of the Unauthorized Computer Access Law, broken down by type of violation, shows that “unauthorized access activities” accounted for 487 cases and 248 individuals, representing over 90% of the total. “Identification code acquisition activities” were 11 cases and 8 individuals, “identification code provision (encouragement) activities” were 13 cases and 10 individuals, “identification code storage activities” were 7 cases and 6 individuals, and “identification code illegal request activities” were 3 cases and 2 individuals.

Among these, the most numerous, unauthorized access activities, are defined in Article 2, Paragraph 4 of the Unauthorized Computer Access Law as:

  • Identification code misappropriation type (impersonation type)
  • Security hole attack type

However, looking at the breakdown of arrests for unauthorized access activities in 2023, the “identification code misappropriation type” accounted for 475 cases, representing over 90% of the total.

Breaking down the “identification code misappropriation type” of unauthorized access activities by method, “exploiting the weakness in the management and setting of the rightful user’s password” was the most common (203 cases), followed by “crimes committed by former employees or acquaintances who were in a position to know the identification code” (68 cases), “obtained by questioning or peeping from the rightful user” (40 cases), “acquired from another person” (36 cases), and “obtained through phishing sites” (10 cases) in order.

Furthermore, looking at the breakdown of services illegally used with someone else’s identification code for the “identification code misappropriation type,” “online games & community sites” were the most common (234 cases), followed by “exclusive sites for employees/members, etc.” (82 cases), “internet shopping” (35 cases), “internet banking” (29 cases), and “email” (3 cases) in order.

Related article: Acts and Examples Prohibited by the Unauthorized Computer Access Law Explained by Lawyers[ja]

Arrest Cases in Reiwa 5 (2023)

Main arrest cases in 2023

Each year, the “Status of Unauthorized Access Incidents” includes several arrest cases as reference material.

A 21-year-old vocational school student created phishing sites impersonating legitimate social networking services (SNS) in October and December 2022, and published them on the internet. He illegally obtained IDs and passwords from multiple legitimate users and used them to access the SNS without authorization. He was arrested in April 2023 for violating the Japanese Unauthorized Access Prohibition Law (unauthorized access, illegal request for identification codes, and acquisition of identification codes) and the crime of creating and using private electromagnetic records without authorization.

A 30-year-old public servant set a personal identification number (PIN) for someone else’s My Number card without the owner’s consent in December 2022, and used the set PIN to access the system without authorization. She then credited points to the cashless payment service she was using. She was arrested in April 2023 for creating and using public electromagnetic records without authorization, violating the Japanese Unauthorized Access Prohibition Law (unauthorized access), and computer fraud.

An 18-year-old vocational school student approached users of a game account trading site in March 2023, offering to sell game accounts. After obtaining the site-related identification codes from prospective buyers, he accessed the site without authorization and illegally acquired points owned by the prospective buyers. He was arrested in July for violating the Japanese Unauthorized Access Prohibition Law (unauthorized access) and computer fraud.

A 25-year-old company employee guessed the passwords of multiple SNS accounts from August to November 2022, accessed them without authorization, and sent messages threatening harm while impersonating the legitimate users. He was arrested in August 2023 for violating the Japanese Unauthorized Access Prohibition Law (unauthorized access) and for extortion.

A 43-year-old company employee provided a colleague at his new job with the identification code assigned to employees for his former employer’s business card management system and accessed the system without authorization in June 2023. He was arrested in September for violating the Japanese Personal Information Protection Law and the Unauthorized Access Prohibition Law (unauthorized access).

A 20-year-old unemployed man and two others conspired to record a website on an overseas server in January 2023, misleading it to be a website operated by an SNS provider, and made it accessible to an unspecified large number of people, asking them to enter their passwords. They were arrested in September for violating the Japanese Unauthorized Access Prohibition Law (illegal request for identification codes).

Related article: Detailed Content and Violation Cases of the Unauthorized Access Prohibition Law[ja]

Summary: Urgent Need for Measures Against Unauthorized Access, Consult Experts

In the “Status of Unauthorized Access Incidents,” there is a continuing trend of increasing unauthorized access incidents. As defensive considerations, the measures that rights holders should take include:

  • Proper setting and management of passwords
  • Measures against phishing
  • Measures against malicious programs

Furthermore, the measures that access managers should take include:

  • Establishing operational systems, etc.
  • Proper setting of passwords
  • Proper management of IDs and passwords
  • Measures against security hole attacks
  • Measures against phishing, etc.

These measures are highlighted as essential.

Crimes due to unauthorized access can potentially affect any company or individual using the internet, and the resulting damage can be significant. Therefore, it is crucial to pay attention to these measures.

If you suffer damage due to unauthorized access, you can file a criminal complaint, but the statute of limitations is set at three years. If you discover damage caused by unauthorized access, it is advisable to consult a lawyer familiar with the Japanese Unauthorized Access Prohibition Law as soon as possible.

Guidance on Measures by Our Firm

Monolith Law Office is a legal practice with extensive experience in both IT, particularly the internet, and law. Recently, the leakage of personal information has become a significant issue. In the event that personal information is leaked, it can have a critical impact on business operations. Our firm possesses specialized knowledge in preventing information leaks and in developing response strategies. Details are provided in the article below.

Areas of practice at Monolith Law Office: Japanese Personal Information Protection Law and Related Legal Services[ja]

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Category: IT

Tag:

Return to Top