Japan Pension Service failed to prepare for cyberattacks, report says


The Japan Pension Service’s (JPS) slow response to — and lax awareness of — cyberattacks allowed the personal data of 1.25 million people to be hacked in May, an internal survey committee set up by the nation’s pension management agency said in a report released on Thursday.

The agency lacked detailed procedures to fend off cyberattacks, as well as awareness of the need to protect personal information, due to structural problems dating back to before the entity was reorganized from the Social Insurance Agency in 2010, it said.

To prevent future cyberattacks, the report said the agency will isolate personal data from the Internet and create a separate entity tasked with information security.

JPS also said that it will issue new pension numbers to 958,373 people whose personal information was stolen and whom it managed to track down. The rest of the 1.25 million whose information was leaked are deceased or could not be reached, the agency said.

“We apologize for having caused trouble,” JPS President Toichiro Mizushima said at a press conference announcing the report by the committee, which he chaired.

“Our responsibilities are very heavy,” he said. He did not clarify, however, whether he would resign as president.

The JPS suspected its computer system was infected with a computer virus on May 8, but existing rules only called for disconnecting infected computers from the Internet, the report said.

The virus is believed to have spread after JPS employees clicked on a malicious link contained in an email.

Clicking on the link prompted computers at the service to download a malicious program that allowed hackers to access the JPS system.

The data leak, including that of people’s pension numbers, names, birth dates and addresses, has been confirmed at JPS centers in Wakayama and Okinawa as well as its Tokyo center.

The report said the cyberattackers controlled the terminals on May 20, leading to the massive data leak from May 21 to 23, before the computer system was completely disconnected from the Internet on May 29.

In addition to the data of 1.25 million citizens covered by the public pension scheme, the personal data of 225 JPS officials and business manuals could have been stolen, the report said.

Meanwhile, the Metropolitan Police Department’s investigation into the cyberattackers has hit a snag, as the perpetrators used some 20 servers in and outside Japan to hack the JPS terminals.

The MPD’s public security bureau has been analyzing the communication records left on the infected PC terminals. At least one of the terminals had spikes in the volume of communications with a hacked server of a shipping company in Minato Ward, Tokyo, which was unrelated to the crime, investigators said.

The use of anonymous, free email addresses has also made the investigation into the hackers difficult, they added.

The investigators have found that malware called Emdivi was used to compromise the JPS computers, but they have not been able to identify the culprits.