A third-party probe into the leak of pension-related data from the government-affiliated Japan Pension Service’s computer system exposed the unpreparedness on the part of both the organization and the Health, Labor and Welfare Ministry against the risk of cyberattacks. Establishing clear and rational procedures to defend against computer hacking will be important, but the officials and workers at the JPS should first be made keenly aware of the graveness of the data leaks and the importance of the protecting personal information.

In May, the names and pension ID numbers of some 1.25 million pension premium contributors and pension recipients were leaked from the Japan Pension Service. An outside committee set up to probe the leak has found that the organization did not have a manual to cope with computer hacking and that its system storing such data as the names and basic pension numbers of pensioners and premium contributors was connected with the Internet. It is clear that the JPS’s awareness of the danger from hacking was deplorably low.

According to the committee’s findings, the JPS received the first targeted email with a file containing a virus attached to it on May 8. Although the organization distributed written warnings among its workers about the email, it failed to give necessary specifics, such as the email address and the subject title, and failed to take steps to reject emails sent from that address. The JPS had no clear rules to cope with such an attack except severing the Internet connections of the computer terminals. It had not set procedures to bring the whole organization offline or to identify workers who have received virus-infected emails. These failures led the organization to receive 101 emails in targeted attacks on May 18. On May 20, the attacker hijacked the system administrator’s authority and spread the virus infection to 26 terminals. The data of some 1.25 million people was then leaked over three days from May 20.

The third party probe found that high-ranking officials of the JPS did not order monitoring of the online communication even after they got reports from their subordinates about the cyberattack, and that the JPS did not notice the data leak until May 28, when it was alerted by the Metropolitan Police Department. Even at this point, JPS executives did not take the whole organization offline, fearing that it would cause problems for its operations. It was only the following day that the organization was taken offline.

The JPS had not set a password for access to personal information stored in its computer system. When a worker reported the first targeted e-mail to a superior, the latter did not respond properly.

The response of the welfare ministry, which supervises the JPS, was also far from satisfactory. On April 22, its Pension Bureau was hit by a similar targeted email, but it did not alert the JPS about the possibility of a cyberattack. The third-party committee determined that if the ministry had immediately notified the JPS about the incident, the data leak could have been prevented. It was also found that the ministry has only one worker in charge of cyber security.

What happened at both the JPS and the welfare ministry points to insufficient awareness about risks from cyberattacks. This is a structural problem. The committee’s report said the JPS left the matter of how to handle cyberattacks to low-ranking workers and that its senior officials were not involved. In short, the JPS lacked an organized response to the issue of cyber security.

The JSP was set up in 2007 during Shinzo Abe’s first stint as prime minister as a replacement for the Social Insurance Agency, an external bureau of the welfare ministry, which was abolished over pension-related problems, including its inability to trace tens of millions of data on pension premium payments back to specific individuals. Such problems were blamed on the cozy ties between the SIA and the welfare ministry, which failed to adequately supervise the agency’s shoddy work. The latest hacking of the JPS’s system and the data leak show that the organization, which took over the SIA’s workload and employees, and the welfare ministry have not overcome this structural deficiency.

To rectify the situation, the JPS’ in-house investigation panel proposed placing the shared file server, which handles personal information of subscribers to the pension system, inside the core system to completely insulate the server from the Internet and establishing a section that will serve as its commanding center for information security measures.

While these steps will be meaningful, organizational changes alone will not be enough to prevent similar problems at the JPS. Experts point out that it is impossible to completely prevent cyberattacks. Therefore, it will be all the more important for all officials and workers at the pension organization to develop and share a common recognition of the need to do their utmost in unison to minimize damage in the event a cyberattack takes place.

In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.