Benesse leak suspect held; firm plans compensation

Police say at least 10 name list brokers bought the data

JIJI, Kyodo, Staff Report

A Tokyo systems engineer was arrested Thursday on suspicion of illegal copying for allegedly stealing data on millions of customers from the computer servers of education service provider Benesse Corp.

The Metropolitan Police Department arrested Masaomi Matsuzaki, 39, on suspicion of downloading and copying the personal data of some 10.19 million Benesse customers onto his smartphone from the Tokyo branch of affiliate Synform Co. on June 17.

The data included the names and addresses of children and their birth dates. Matsuzaki was employed as a temporary worker at a database management contractor for Synform at the time.

Earlier, during voluntary questioning, Matsuzaki admitted selling the data to about 15 name list traders for some ¥2.5 million from July 2013 to June, according to the police. He used the money on gambling, the sources said.

Police searched Matsuzaki’s home in the western suburb of Fuchu in connection with the case on Thursday.

Benesse has filed a criminal complaint against Matsuzaki, claiming he leaked its business secrets. But the allegations have been restricted to illegal copying rather than unauthorized data disclosure so far because the latter would take a considerable amount of time to investigate, sources said.

Matsuzaki downloaded the data from Benesse’s database and copied it by unlocking its leak prevention system, investigators said. They also found that at least 10 name list brokers got hold of the data.

The police are checking the leaked information against the original data stored on Benesse’s database. They also plan to question, on a voluntary basis, officials of JustSystems Corp., which bought the data and used it to send out junk mail. JustSystems insists it did not know the data was stolen from Benesse.

Parent firm Benesse Holdings Inc. said last week that data on at least 7.6 million customers had been leaked, but it recently warned that as many as 20.7 million customers could have been compromised.

Benesse Chairman and CEO Eiko Harada submitted a report Thursday morning in person to industry minister Toshimitsu Motegi requesting measures to prevent similar incidents from taking place.

“It is extremely regrettable that the leaked personal data included those of elementary and junior high school students, and that (Benesse) failed to acknowledge it for as long as half a year,” Motegi told Harada at the Ministry of Economy, Trade and Industry.

Harada said his company will do its utmost to investigate the cause of the theft under a third-party committee set up Tuesday. METI had asked Benesse to submit the report by Thursday.

Later in the day, Benesse said it plans to set up a reserve fund worth up to ¥20 billion to compensate customers for the invasion of privacy.

The company also plans to form a special organization to support customers who are worried about the data leak, the latest in a series of “big data” incidents that have put people’s privacy at risk.

“We understand the gravity of the incident, so we decided to prepare the compensation money of ¥20 billion,” Harada told a news conference in Tokyo.

Benesse said it is considering giving out cash vouchers or offering discounts to those who use its education services.

The company said the data theft was discovered after it started getting complaints that customers were getting direct mail from other education providers even though they hadn’t given out their personal information.

Harada said Benesse set up its own investigative panel on Tuesday and vowed to thoroughly look into the causes to prevent another case like this from happening.

“Customers’ trust is the top priority,” said Harada, a well-known business manager who became president just last month.

  • Les

    Benesse needs to brush up on some GR&C best practices:

    best practices for Global Governance, Risk & Compliance:

    – Be aware of the data that is being sent out of your control, either to an employee’s cloud,
    the organizations own cloud, an employee’s flash drive or via any of the 65,000+ available channels. It only takes a few seconds for a trusted employee or untrusted entity (e.g. malware) to send data such as PII or PCI to the cloud or “phone home”, violating compliance regulations &/ or policy. You need to understand and know what data was sent, from where and to where it’s going.

    – Know what data you can send out of the network and where to. When data travels
    cross borders, as it does so often, the risk increases on an exponential basis for the data owner.

    – Detection accuracy ensures you protect the correct data with the proper control and be alerted to irregular activity. Some data needs to be blocked, some just encrypted while other information can leave without any issue. Many “DLP” solutions cannot accurately provide both the content & context awareness to respond.

    cited from GTB Technologies Data Leak Prevention site