At least 2.07 million sets of personal data were stolen or feared leaked from 140 companies and other organizations in Japan that said they were hit by cyberattacks in 2015, according to a Kyodo News survey.
Of the 140 victims, 75 said they noticed the data breaches only after police or another outside group alerted them. The victims consist of 69 private companies, 49 government agencies and their affiliates, and 22 universities.
Among the remaining 65 organizations, 40 said they discovered on their own that they had been targeted.
The Japan Pension Service, operator of the country’s public pension program, incurred the largest data theft — about 1.25 million sets of ID numbers, names, addresses and birthdates.
Security experts warned that the figures are “just the tip of the iceberg” and there could be many organizations that were victimized and don’t even know it. They pointed to the need for companies and organizations to share information and cooperate beyond industries.
Printing company and website producer Seki Co. in Matsuyama, Ehime Prefecture, said there is a possibility that up to 267,000 data sets — including credit card information — could have been stolen from a server for the websites of 17 companies.
Confectionery company Chateraise Co. in Kofu, Yamanashi Prefecture, said some 210,000 personal data sets were possibly leaked, while model manufacturer Tamiya Inc. in the city of Shizuoka said 107,000 may have been stolen.
The 75 bodies said they were informed of the cyberattacks by police or the Japan Computer Emergency Response Team Coordination Center, which supports organizations that have come under attack.
Waseda University, one of the nation’s top private universities, said it found out after being alerted that the theft of students’ personal data had begun six months earlier.
Of the 140 bodies reporting cyberattacks, 19 including the Japan Pension Service, the Petroleum Association of Japan, the University of Tokyo and trading house Itochu Corp. were targeted via email messages with virus-infected files attached, as well as other types of attacks.
Thirty-two organizations were confirmed to have come under DDoS attacks, or distributed denial of service, which are intended to paralyze a targeted website by overwhelming it with much higher than normal traffic from multiple sources.
The DDoS attacks are suspected to have been carried out against the official website of Prime Minister Shinzo Abe by the Anonymous hacker group in a sign of protest at Japan’s plan to resume research whaling in Antarctica.
The website became temporarily inaccessible last month.