Fujitsu Data Breach: Japan Government Orders Company to Take Corrective Action

Japanese authorities demand action from Fujitsu following data breaches affecting 1,700 companies and government agencies due to poor governance and delayed detection.

Japanese authorities have instructed Fujitsu to implement corrective measures after the hacking of its cloud service resulted in data leaks affecting a minimum of 1,700 companies and government agencies. The Ministry of Internal Affairs and Communications attributed the breaches to inadequate governance, blaming Fujitsu for taking eight months to discover the hack. The breaches occurred between March and November of the previous year before being detected in December.

Highlighting significant issues with security measures, the supervisory mechanism and risk management, an official from the communications ministry expressed deep regret over the multiple leaks. The compromised cloud-based Fenics internet service, utilised by government agencies and corporations, was responsible for the security breach. The breach was a result of a configuration mistake made by Fujitsu, who failed to detect unauthorised access.

Notably, Fujitsu had already experienced cyberattacks on two other cloud services since 2021. Despite implementing prevention measures following those attacks, the company was still vulnerable when the attack on Fenics occurred. Senior officials at Fujitsu were unaware of the details of these incidents, indicating unclear authority within the internal committee responsible for preventing recurrences and inadequate governance.

Government officials suspect the involvement of hacker groups affiliated with the Chinese government in all three attacks, as Fujitsu develops critical infrastructure and systems for government agencies. Consequently, the government has decided to take administrative action, marking the first instance of guidance being issued based on the Telecommunications Business Act in response to cyberattacks. The act allows the ministry to intervene when the secrecy of communications, protected by Japan's constitution, is deemed at risk.

The government has been urging companies to enhance their cybersecurity measures and warning of potential liabilities for damages resulting from insufficient protection of data. Japanese companies have been experiencing an increasing number of cyberattacks, with an average of 1,018 attacks per company per week between January and March of this year—an uptick of 17% compared to the previous year, according to Check Point Software Technologies.

Additionally, there are deficiencies in the government's ability to monitor potential threats. While Fujitsu's Fenics service is part of Japan's Information System Security Management and Assessment Program (ISMAP), which evaluates the safety of cloud services, it does not meet the current criteria for auditing services that come under attack.

Overseas authorities have also taken action against weak cybersecurity practices in companies. The U.S. Securities and Exchange Commission recently indicated the possibility of civil enforcement action related to a significant 2020 data leak that impacted approximately 100 private and government organisations.

During a general shareholders meeting, Fujitsu CEO Takahito Tokita expressed his deep apologies and the shareholders' profound concerns regarding the cyberattacks. However, he has yet to hold a separate news briefing to address the implications of these attacks.

Despite expecting a record net profit for the second consecutive fiscal year in 2023, Fujitsu's cybersecurity vulnerabilities may cast doubt on its long-term performance as confidence wavers.

• Fujitsu instructed to take corrective measures following data breaches affecting 1,700 companies and government agencies.

• Poor governance and delayed detection attributed to the breaches.

• Multiple leaks occurred due to significant security, supervisory and risk management issues.

Source: NIKKEI ASIA