The massive leak last month of personal data from the Japan Pension Service was the result of a simple error by its employees: opening a virus-laced email attachment disguised as a health ministry document.
Hackers who tapped into the pension system and stole the data of 1.25 million people are believed to have used a classic ploy called a “targeted email attack.” It’s been around since around 2003 overseas and 2005 in Japan, but has become more sophisticated in recent years, with the email giving every appearance of containing legitimate and important business, experts say.
Police know of 1,723 targeted email attacks in 2014, up from 492 in 2013 and 1,009 in 2012, according to the National Police Agency.
The emails sent to — and opened — by Japan Pension Service (JPS) employees bore the subject line, “Regarding the Review of the Employee’s Pension Fund (Draft),” according to Kyodo News. It was exactly the same as the title of a document the Health, Labor and Welfare Ministry uploaded on its website in February 2013.
Targeted emails, aimed at remotely controlling infected PCs and stealing data from penetrated networks, have been disguised as everything from interview requests sent by newspaper reporters with an attached file bearing the name “list of questions,” to inquiries about job openings with a “resume” file attached, the IPA (Information-technology Promotion Agency) Japan, a government-affiliated IT security agency, said in a report released in January.
JPS officials said Monday that stolen data are limited to people’s pension IDs, names, birthdates and addresses, which were contained in the computer system used to send notices to individual members.
The agency’s core computer network, which contains such sensitive information as the amounts of premiums or benefits paid by and to individuals, was not connected to the infected PCs and thus was not affected, the JPS officials said.
They also said the only visible damage from the data theft was potential changes to members’ addresses. This means that pension notices regularly mailed to individual members and containing financial details could potentially be sent elsewhere.
Because pension premium levels and benefits are determined by people’s income levels, the information could be used to pick targets for financial frauds.
Furthermore, the stolen data could potentially be sold and combined with information obtained from previous, unrelated data breaches, according to Nobuhiro Tsuji, a security engineer at SoftBank Technology Corp.
“I think a database of individuals could be created by combining stolen (JPS) data with data stolen elsewhere previously, such as credit card data,” Tsuji said. “Such data can be traded for money.”
Yasunori Irisawa, a researcher at IPA, said organizations should safeguard themselves from cyberattacks by updating both their security software and PC applications.
Potential targets can also carry out simulated attacks, sending targeted emails to employees to see who is likely to be tricked by virus-carrying messages, he said.
People who have received suspicious calls or mail are urged to call the Japan Pension Service at 0120-818211. Operators are available from 8:30 a.m. through 9 p.m. until June 14.