Leaked customer information held by a group company of Benesse Holdings Inc. was sold to software developer Justsystems Corp. through name-list traders and was used to send direct mail, sources said Thursday.
Benesse said Wednesday it had been hit by a data leak involving information on at least 7.6 million customers, and possibly as many as 20.7 million — including many children.
The source alleged that Benesse's investigation found that the leaked data had made its way to Justsystems, as some customers found direct mail from Justsystems bearing personal information that they had registered only with Benesse.
Justsystems, which also provides tablet computer-based education services, denied the accusation.
"There are some media reports saying that we sent direct mail knowing they contained Benesse's information, but that is not true," the firm said.
The sources said Justsystems, based in Tokushima, purchased the data from Bunkensya, a name-list trader in Fussa, on the western fringes of suburban Tokyo.
Bunkensya said it purchased the data sometime from late April to May from another list trader and said it did not know the data had been illegally obtained.
Tokyo-based Pan World, which sold the data to Bunkensya, also said in turn that it bought the information from yet another data trader.
Benesse suspects that an insider who is not an employee stole the information.
Japanese companies are struggling to deal with a spike in cybertheft attacks on the nation's online banking systems.
Police are investigating the case as a suspected breach of the law against unfair competition.
"We deeply apologize for causing great trouble," Benesse Holdings Chairman and Chief Executive Officer Eiko Harada said.