The government-affiliated Japan Pension Service’s computer system has been hacked, resulting in the leak of the names and pension ID numbers of 1.25 million pension premium contributors and pension recipients. In some cases, birthdates and addresses were also stolen. The leak is unprecedented among government organizations in terms of the number of people affected.

The government should take effective measures to prevent the stolen data from being misused for purposes such as pension fraud. In addition, the investigation committee set up following the revelation of the leak last week must determine how serious the government and the JPS were about security.

The hack occurred when JPS workers opened email attachments containing viruses. The first virus was detected on May 8 and the JPS reported the incident to the Health, Labor and Welfare Ministry. Another virus was detected on May 18 in 100 emails sent to the JPS. The next day, the JPS asked the Metropolitan Police Department to investigate. On May 28, the MPD told the pension organization that the pension data had been leaked. The JPS went public with the leak on June 1.

The viruses allowed the perpetrators to penetrate networks by remotely controlling infected personal computers. The JPS said that although 27 PCs were attacked, the organization’s core system, which stores such information as the records of premium payments and the amount of pension paid to each pensioner, is separated from the LAN system used for daily business and therefore was not affected. But the leak of personal information was still grave.

One wonders whether the government and the JPS are sufficiently aware of the importance of data protection. Last week it was revealed that the JPS is not among the government organizations that are required to have a high level of preparation to counter cyberattacks.

After the JPS notified the health and welfare ministry about the May 8 incident, only a low-ranking ministry official dealt with the issue. When the JPS asked the MPD to investigate, the official did not even report the JPS’ action to a relevant superior. Cabinet ministers and government bureaucrats need to change their attitudes and realize the extreme importance of protecting pension data. Pensions provide the sole income for many elderly citizens.

When a computer virus is detected in an organization, it is logical to think that other computers may be infected and take action accordingly. But the JPS did not do so. It also had failed to set up passwords for personal data belonging to some 550,000 participants in the pension scheme that were stored in its network even though it’s required by an internal rule.

The JPS says that it had routinely told its workers not to open suspicious email. But this is not a proper solution. The JPS — as well as other organizations for that matter — should build a system designed to minimize damage on the assumption that some workers may open suspicious emails and that cyberattacks are inevitable.

Given the massive damage done, at the very least the JPS must fulfill its duty of offering a clear explanation about what actually happened and why it failed to prevent the data leak.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.