What are the Frequent Corporate Personal Information Leakage Incidents? Explanation of Cases and Countermeasures
In recent years, frequent corporate personal information leakage incidents have led to increased scrutiny of security management.
This article introduces actual corporate personal information leakage incidents as case studies and explains their causes and countermeasures.
Since no company that handles personal information can afford to ignore this issue, IT managers, in particular, should pay close attention.
Table of Contents
- Personal Information Leakage Incident Case Studies
- SourceNext Corporation Case
- Zurich Insurance Company Case
- Amagasaki City Case
- Japan Maritime Self-Defense Force Case
- snkrdunk.com Case
- What are the Causes of Personal Information Leakage?
- Infection by Malware and Phishing
- Human Error by Involved Parties
- Internal Fraud and Data Theft
- Four Countermeasures to Prevent Information Leakage
- Implementation of the Latest Security Software
- Preparation and Agreement of Confidentiality Documents
- Thorough Risk Management and Education Regarding Personal Information Leakage
- Introduction of Fraud Detection Services
- Conclusion
1. Personal Information Leakage Incident Case Studies
Let’s delve into examples of personal information breaches at companies and municipalities.
We’ll examine five noteworthy cases, shedding light on the incidents’ root causes.
1-1. SourceNext Corporation Case
SourceNext Corporation announced on February 14, 2023, that 120,982 personal information records and 112,132 customer card information records were leaked due to unauthorized access to its official website.
The cause was a vulnerability within the official website, and the payment system was apparently tampered with by a cyberattack.
The potential victims were users who registered card information or purchased products/services on the official website between November 15, 2022, and January 17, 2023.
Currently, they are implementing countermeasures against unauthorized access by strengthening security and raising awareness of fraudulent use and phishing scams.
1-2. Zurich Insurance Company Case
Zurich Insurance Company announced a personal information leakage incident on January 9, 2023.
The cause was a security deficiency in the construction server, and data was stolen through unauthorized access.
In this case, a maximum of 698,767 people were affected, and after discovering the information leak, they reported it to the supervisory authorities and responded by deleting customer information on the server.
1-3. Amagasaki City Case
In Amagasaki City, Hyogo Prefecture, an incident occurred on June 21, 2022, where an employee involved in temporary benefit payment operations lost a USB memory stick containing personal information.
The cause was that the method of transporting the data outside the office was not determined, and it was carried without obtaining permission from Amagasaki City.
Currently, there have been no confirmed external leaks.
As a countermeasure, they have banned carrying out data without permission, including transportation methods, and are thoroughly implementing security management.
1-4. Japan Maritime Self-Defense Force Case
In March 2020, there was a case where a first-class captain of the Japan Maritime Self-Defense Force leaked information containing specific secrets stipulated by the Specified Secret Protection Law to a former Fleet Commander OB.
The cause was that the OB requested the information from the first-class captain, and this was the first time someone was punished for leaking specific secrets to the outside.
The Japan Maritime Self-Defense Force has announced that it will make further efforts to preserve information to prevent recurrence.
1-5. snkrdunk.com Case
snkrdunk announced that there was a cyberattack on its official website, “SNKRDUNK,” in June 2022.
The total number of personal information records that may have been leaked is 2,753,400, but credit card numbers and identification documents are not included.
They reported that they would further strengthen security to prevent recurrence.
2. What are the Causes of Personal Information Leakage?
We often hear about personal information leakage due to unauthorized access, but what specific methods are used to steal data?
Here, we will explain the causes of personal information leakage.
2-1. Infection by Malware and Phishing
The most common case of information leakage is the pattern of executing unauthorized access through infection by malware and phishing.
Malware is malicious software that hacks into a device’s system and performs harmful actions using methods such as viruses, worms, and keyloggers.
It infects devices by disguising itself as an email or a fictitious site, and installing files or software containing malware, thereby exploiting information.
Phishing, another common method, is also on the rise in recent years.
Similar to malware infection, it also involves luring users to emails and fake websites.
However, in the case of phishing, the main method is to exploit personal information entered by users themselves on fake websites.
Recently, with the spread of remote work, the security management of devices used by companies has been entrusted to individuals.
Therefore, damage from malware and phishing is increasing, and even greater caution is required.
2-2. Human Error by Involved Parties
As in the case of Amagasaki City, personal information leakage may occur due to human error by those involved.
- Taking personal information home to do work
- Sending emails or faxes containing information to the wrong recipient
- Losing documents or data containing personal information that was taken out
Such human errors are not intentional, but they occur because security management is not thorough.
2-3. Internal Fraud and Data Theft
As in the case of the Japan Maritime Self-Defense Force, internal parties may engage in unauthorized access or take out data to intentionally leak personal information.
In some cases, people may disguise themselves as cleaning contractors and install devices on company devices to exploit information, so it cannot be definitively stated that only internal personnel are involved.
Also, it should be noted that internal fraud damages the company’s credibility and has a significant impact on management.
3. Four Countermeasures to Prevent Information Leakage
In modern times, individuals and companies are required to understand and implement effective countermeasures to prevent personal information leakage.
As public measures, we will introduce four methods this time, so implement all of them as much as possible and thoroughly manage the security of customer information.
3-1. Implementation of the Latest Security Software
The most effective way to prevent malware infection is to implement the latest security software.
Even malware that launches cyberattacks disguised as seemingly harmless programs, such as Trojan horses, can be detected by the latest security software.
In addition, it also covers vulnerabilities in websites and software, so it is essential to install security software not only for companies but also for devices used by individuals.
Since malware is also evolving daily, if you are complacent with old security software, you may find that you are infected from somewhere without realizing it.
It is an effective countermeasure
to always check whether the security software you have installed is the latest version or a new version.
3-2. Preparation and Agreement of Confidentiality Documents
By exchanging documents regarding confidentiality obligations with employees and related parties, it becomes easier to unify awareness regarding internal fraud prevention and the handling and leakage of personal information.
If you specify what penalties will be imposed if the confidentiality obligation is violated, the awareness of employees and related parties regarding the handling of personal information should increase.
If you are creating documents on confidentiality obligations from now on, please refer to the Ministry of Economy, Trade and Industry’s “Reference Material 2 Reference Examples of Various Contracts, etc.”
3-3. Thorough Risk Management and Education Regarding Personal Information Leakage
Thorough risk management and education regarding personal information leakage should also be carried out.
Personal information awareness may fade due to daily work.
Therefore, it is necessary to conduct regular training on the handling of personal information and to make people aware of what should be thoroughly done at all times.
In addition, a list of risk management that can be done individually should also be created, and each employee who works at home or outside should be asked to perform security management.
For a free trial of “EXO Security”, please contact globalsupport@jiran.com
3-4. Introduction of Fraud Detection Services
It is too late to take countermeasures after a personal information leak has occurred, and in some cases, it may cause a firestorm that will be covered in the news.
In particular, for endpoint security, the introduction of fraud detection services should be actively considered.
Let’s utilize the latest security services to manage risks to the maximum extent possible, for parts that cannot be handled only by individual awareness and actions.
Conclusion
This article has explained cases, causes, and countermeasures related to personal information leakage incidents.
In the case of companies that handle personal information, they must always bear the responsibility of protecting customers from malicious businesses.
However, in recent years, security software and services have been enhanced, making it possible to improve endpoint security.
Security management should be carried out thoroughly to avoid losing the company’s credibility.
For EXO Security usage fees, please contact globalsupport@jiran.com
For inquiries, please contact globalsupport@jiran.com
