A third-party probe into the leak of pension-related data from the government-affiliated Japan Pension Service's computer system exposed the unpreparedness on the part of both the organization and the Health, Labor and Welfare Ministry against the risk of cyberattacks. Establishing clear and rational procedures to defend against computer hacking will be important, but the officials and workers at the JPS should first be made keenly aware of the graveness of the data leaks and the importance of the protecting personal information.
In May, the names and pension ID numbers of some 1.25 million pension premium contributors and pension recipients were leaked from the Japan Pension Service. An outside committee set up to probe the leak has found that the organization did not have a manual to cope with computer hacking and that its system storing such data as the names and basic pension numbers of pensioners and premium contributors was connected with the Internet. It is clear that the JPS's awareness of the danger from hacking was deplorably low.
According to the committee's findings, the JPS received the first targeted email with a file containing a virus attached to it on May 8. Although the organization distributed written warnings among its workers about the email, it failed to give necessary specifics, such as the email address and the subject title, and failed to take steps to reject emails sent from that address. The JPS had no clear rules to cope with such an attack except severing the Internet connections of the computer terminals. It had not set procedures to bring the whole organization offline or to identify workers who have received virus-infected emails. These failures led the organization to receive 101 emails in targeted attacks on May 18. On May 20, the attacker hijacked the system administrator's authority and spread the virus infection to 26 terminals. The data of some 1.25 million people was then leaked over three days from May 20.