The massive data leak of private information on millions of Benesse Holdings customers has highlighted Japanese firms’ inadequate security measures, revealing just how easily data can be taken outside of an organization by employees.
The huge amount of data leaked — which could affect as many as 20.7 million customers — points to a special need for firms to beef up their safeguards for confidential information.
“Nowadays, the size of data has grown considerably compared to a decade ago, and firms have to protect themselves from the inside, as well as from outside threats such as cyberattacks,” said Nobuhiko Tayama, director of Tokyo-based Global Security Experts, a consulting and solution-providing firm of information security and risk management. “I think Benesse had faults to the extent that it couldn’t protect itself in terms of management of data from the inside.
“The biggest problem was that Benesse was not prepared to handle such big data, as it entrusted all management of data to its subsidiary,” Tayama said. “Benesse should have made their own strict rules regarding the management of data, and made the employees follow the rules accordingly,” Tayama said.
Junsuke Sawarame, a public relations officer at Trend Micro Inc., an Internet security firm, said that to prevent data leaks, it’s important for companies to “sort out employees who have data access at a firm.”
“Firms should sort out which data is used for what kind of purpose by which employee, in order to minimize access authorization,” Sawarame said. “Not all employees need to be authorized to have access to all kinds of data that the company holds.”
Also, using computer software that can regulate external connecting devices such as USB memory sticks would be useful, he added.
“For example, one could de-authorize the use of USB flash drives that are not permitted on the computer, or physically block the USB ports, if necessary,” Sawarame said.
On an individual level, Sawarame said customers should be careful and check in advance, before they actually register for a service, what kind of approach a firm is taking in regards to the management of information, especially confidential information.
According to an October 2009 Internet survey by Trend Micro, almost 30 percent of 1,000 company workers and local government employees in Japan replied that they “want to take out confidential information that is banned from being taken out of the office” when changing sections inside the firm or when they quit the company.
While 8.4 percent said they would like to take as much information that they used in their jobs as possible, 21.3 percent said they would like to take just the information that would be “beneficial” in their next jobs.
The survey also revealed that nearly 70 percent of the employees felt it would be possible to take confidential information from their office, including personal details.
The survey went on to note that 85.7 percent said that even if they were to take such information without the firm’s permission, they wouldn’t feel at a risk of being reported to the police by a third person or face investigation.
The data leak at Benesse, popular for its “Kodomo Challenge” and “Shinken Zemi” courses for preschool and elementary school children, is reported to have occurred in Tokyo late last year at affiliate Synform Co., when a systems engineer — a temporary employee — used an individual ID to access the data.
The data was then reportedly copied to a USB memory stick and sold to software developer Justsystems Corp. through multiple name-list traders.
Justsystems used the data purchased in May to send out direct mail to customers the following month.
News of the data leak emerged when some customers informed Benesse that they had received direct mail about the “Smile Zemi” correspondence course from Justsystems, a company that they did not give personal information to.