A total of 100 messages with virus-infected files were sent simultaneously to email addresses given to Japan Pension Service staff, and police suspect that led to the recent massive leak of personal data, sources said Wednesday.
None of the email addresses had been disclosed to the public, and there is a possibility they had been obtained by hackers who previously attacked the organization’s system using computer viruses.
The initial attack, on May 8, was made using an email sent from a free account to the pension body’s public address, the sources said. The email contained external links.
Clicking such links may have helped the attackers gain access to the undisclosed email addresses, experts said.
In a second attack on May 18, the same free account was used to send 100 emails to the undisclosed addresses, the sources said.
The organization said Monday that data including names and ID numbers of about 1.25 million people in Japan’s universal public pension program had leaked following unauthorized access by hackers, and the government apologized.
On Wednesday, lawmakers took aim at the pension body for its data management during a Diet session, prompting its president, Toichiro Mizushima, to express his intention to fundamentally review how the organization keeps personal data.
The organization said it had installed antivirus software that automatically eliminates attachments containing viruses, but the software may have failed to detect the latest virus, which was new and did not come in an attachment.
The pension organization is now considering banning employees handling personal pension data from accessing the Internet or keeping such data in shared digital folders, Mizushima said.
The police found some of the leaked data on the server of a Tokyo-based company, suggesting the hacker gained access to the pension data through its server.
The pension organization discovered the virus infection on May 8 and reported it to the police on May 19. Police confirmed the data leak on May 28.