National

Data breaches exposed nearly 2.7 million morsels of personal info in Japan in 2018

Kyodo

At least 2.68 million pieces of personal information held by over 100 Japanese entities were subject to unauthorized disclosures in 2018, a Kyodo News survey found Wednesday.

The data disclosures were confirmed and revealed by 104 organizations, including hotel operators and universities as well as French hotel reservation service Fastbooking SAS, whose breach exposed the information of people who had reserved rooms at Japanese hotels.

MS&Consulting Co. in Tokyo suffered the biggest data loss, with some 570,000 items of personal data such as email addresses, passwords and phone numbers affected.

In the Fastbooking case, in June last year, a hacker stole around 320,000 pieces of customer data from its Japanese clients, including names, addresses, nationalities and dates of stay.

Of some 400 lodging providers in Japan affected by the hacking of Fastbooking’s server, 28 businesses including Prince Hotels Inc. and Fujita Kanko Inc. announced publicly that they were affected.

In similar cases, Hirosaki University in northeastern Japan, Yokohama City University and 12 other national, public and private universities came under cyberattack, causing emails to be exposed.

Shopping mall operator Mitsubishi Estate-Simon Co. in Tokyo and Oshino Village Sightseeing Association in Yamanashi Prefecture both had information stolen, which was then found posted on overseas online bulletin boards and websites.

The survey did not include the personal data of Japanese Facebook users affected in a high-profile breach in October that Facebook said had caused the data of around 29 million people worldwide to be exposed. The U.S. social media giant has not disclosed the numbers by country.

This year there have already been at least two more massive incidents.

OGIS-RI Co., which operates a large-capacity file transfer service, said in January that 4.8 million items of personal information may have been exposed, while Toyota Motor Corp. said in March that 3.1 million pieces of customer information held by its marketing units were disclosed.

Harumichi Yuasa, a professor at the Institute of Information Security in Yokohama, said Japan needs a law requiring companies and other organizations to swiftly notify the government and individuals affected when data breaches occur.

“Businesses are required to more strictly manage personal information, as their increasingly globalized operations result in more frequent transmission of such data between (Japan and) overseas,” Yuasa said.

The European Union, for instance, obliges companies to report data leaks within 72 hours and to contact customers.