Manmade Cyber Failure

A huge number of personal information flew out from a public organization exclusively dealing with pension system. Japan Pension Service announced that personal information for one million and two hundred fifty recipients was leaked in cyber attack on their computer system last month. Leaked information included name, birth date, mailing address and basic pension registration number. It was unclear who obtained the information. The explanation of the organization indicated that the trouble was caused by low motivation among the workers.

It was May 8^th when an email titled “On Revision of Employee’s Pension Fund” arrived at the computer of a worker for JPS. In spite of instruction not to open unidentified email, the worker carelessly opened the attachment and an alert for inappropriate use of computer immediately came to the worker. The organization disconnected the computer and it urged all the workers to be careful to cyber attack. But, the invader had already accessed personal data in the system.

Despite repeated warnings, the same thing on another email happened on May 18^th. The organization consulted police with the incident the day after and it reported police of 1.25 millions of personal data flew out by May 28^th. At the moment, forty computers were already infected by the virus. The organization is responsible for insufficient prevention efforts. The story showed that JPS failed not only in avoiding cyber attack, but also in containment of the infection.

Some consequence may reach the pension recipients. Although the organization will issue new pension number alternative to the stolen ones, it is still possible that someone misuse the information to thieve pension money. Sales person with private company may approach the pension recipient through leaked information. Connected with already leaked credit information, new crime using someone’s personal data can be predicted.

JPS was established as the successor of former Social Insurance Agency, which involved in a major scandal of losing pension record. It revealed its incompetence in dealing with important personal data as SIA did. It is unavoidable for Japanese pension system to lose its credibility.

In its background, there is structural vulnerability of governmental organization to cyber attacks. Computer system of major governmental organizations, including Ministries of Foreign Affairs, Finance or Agriculture, has already been infected by external invasion. Attention to cyber attack in Japan has not been paid enough, compared to United States that recognizes cyber attack as military matter. While the most affected issue by the incident would be My Number system, new registration of all citizens for managing tax and social security information, the government can only say to the people that “It’s ok because the system will be protected by firewall.” Well, there is no firewall in Japan, you know.