NEC Corp. said Friday it came under major cyberattacks that resulted in unauthorized access to 27,445 files, including those related to its work with the Defense Ministry, over several years through 2018.
The company said it had not confirmed any damage such as unauthorized disclosures resulting from the attacks. The files were saved on servers it used for defense-related and other business. Highly classified information, such as proposals to clients, were kept at a remote location that was not connected to the network, it said.
The revelations have added to concerns about the nation’s cybersecurity. Last week, Mitsubishi Electric Corp. admitted it had been subject to a similar attack and that some classified information was leaked. Mitsubishi Electric also holds a key position in Japan’s defense and infrastructure industries.
NEC said it had failed to detect some of the attacks that started to be made after December 2016. It said it confirmed in June 2017 that in-house computers had been infected with malware and were making unauthorized communications, adding that it isolated the devices and suspended the network.
At NEC, the defense-related data potentially exposed is said to have included technical proposals made by the firm to the Maritime Self-Defense Force in relation to submarine sonar.
Personal computers and servers at the headquarters and other offices of the electronics company were also targeted, government and other sources have said.
“We deeply apologize for causing great worry and concern to stakeholders,” the company said in a statement.
Part of the log files that contain records of illicit access to servers and systems have been deleted, the sources said. The company has taken steps to fix vulnerabilities in its networks.
The Acquisition, Technology and Logistics Agency, which works under the Defense Ministry, said that information the ministry needs to protect has not been stolen.
Defense Minister Taro Kono denied any unauthorized disclosure of classified information at a news conference on Friday.
Kono added that some other defense-related firms had also been targeted for cyberattacks in fiscal 2016 and 2018. The minister did not name the firms, but indicated that he would do so some time soon.
The attack on NEC will likely stir up a debate over the cybersecurity practices of Japanese firms, especially those that work in fields related to national security.
In the case of Mitsubishi Electric, the potentially released information included email exchanges with the Defense Ministry and the Nuclear Regulation Authority, as well as documents related to projects with private firms including utilities, railways, communication companies and automakers.
It said, however, that there had been no breaches in the security of highly sensitive information pertaining to infrastructure operations.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.