The Importance of Data Leakage Prevention: Lessons from the Amagasaki City USB Incident
Many of you may remember the crisis in which the personal information of ordinary citizens on a USB memory stick was lost and exposed to the public.
In this article, we will re-examine the importance of data leakage prevention through this incident.
Table of Contents
- What is the USB Memory Loss Incident in Amagasaki City?
- Circumstances, Background, and History of the Incident
- Many Problems Exposed
- Crisis of Personal Information Leakage for All Amagasaki Citizens
- Problems in Terms of Information Security
- Lack of Security Awareness
- Poor Management of USB Memory
- Deficiencies in Password and Access Right Settings
- Aftermath of the USB Memory Loss Incident
- Publication of Investigation Reports by Amagasaki City and BIPROGY
- Amagasaki City Claims Damages from BIPROGY
- Thorough Data Leakage Prevention Measures Based on the Lessons Learned from the USB Memory Loss Incident
- Do Not Save to USB
- Encryption and Password Settings
- Security Risk Awareness and Caution
- Use of Data Leakage Prevention Tools
- Summary
1. What is the USB Memory Loss Incident in Amagasaki City?
First, let’s re-organize the overview and problems of the USB memory loss incident.
1-1. Circumstances, Background, and History of the Incident
In June 2022, an incident occurred in Amagasaki City, Hyogo Prefecture, in which a USB memory stick containing the personal information of approximately 460,000 Amagasaki citizens was lost.
A male employee of a re-re-subcontractor of “BIPROGY Co., Ltd. (formerly Nippon Unisys Co., Ltd.)”, a major information systems company entrusted by Amagasaki City, lost a bag containing the USB memory stick while intoxicated.
Fortunately, the bag was found safely three days later, and there was no evidence that the data in the USB memory stick was used illegally, and there was no information leakage.
1-2. Many Problems Exposed
In this incident, many problems like the following became clear:
- Poor management of confidential information
- Unclear rules for handling USB memory sticks
- Violation of the outsourcing contract (unauthorized re-outsourcing or re-re-outsourcing, etc.)
- Lack of crisis awareness among Amagasaki City employees (disclosure of the number of password digits at a press conference, etc.)
There are many other problems, but overall, the biggest problem may have been the low security level of all parties involved, including Amagasaki City employees, BIPROGY employees, partner companies, and the male employee in question.
1-3. Crisis of Personal Information Leakage for All Amagasaki Citizens
The loss of this USB memory stick created a crisis in which the personal information of 460,000 people could be leaked.
The personal information included not only names and addresses, but also information on tax payments and account information for households receiving livelihood assistance and child support.
If this information were misused, the privacy and financial well-being of residents could be harmed, and even though there was no information leakage, the responsibility of Amagasaki City and BIPROGY for causing this situation is very heavy.
2. Problems in Terms of Information Security
In this incident, in which many problems became clear, let’s organize the problems limited to information security-related issues here.
2-1. Lack of Security Awareness
In this incident, it is clear that the security awareness of employees was lacking. Low security awareness causes many problems.
The fact that the employee revealed the number of digits of the password at the press conference was also due to a lack of security awareness.
In addition, they may continue to use vulnerable passwords without concern, or reuse the same password for multiple accounts. If they had a high level of security awareness that they were handling confidential information, they would not easily copy important data to a USB memory stick and take it outside.
It is necessary to develop rules for handling confidential information and thoroughly educate and train employees on information security. It is more important than anything else to re-recognize the importance of information and to be able to handle it appropriately.
2-2. Poor Management of USB Memory
USB memory is a convenient tool for data transfer, but the insufficient management was also a problem.
Strict rules must be established for the use and removal of removable media such as USB memory and hard disks. In some cases, it may be necessary to prohibit their use.
Even if use is permitted, appropriate countermeasures must be taken, such as always encrypting and thoroughly managing with tools.
2-3. Deficiencies in Password and Access Right Settings
For confidential information, access logs must be strictly managed with tools and software to track who did what processing and when. Access control must be strictly enforced to prevent unauthorized persons from easily accessing information.
You cannot rest assured simply by putting a password on a USB memory stick. If you know the number of digits, you can easily guess the password.
Important data must have passwords and access rights set correctly and be operated strictly.
3. Aftermath of the USB Memory Loss Incident
After the incident that occurred in June 2022, Amagasaki City published an investigation report in November 2022, and BIPROGY Corporation published one in December of the following year.
3-1. Publication of Investigation Reports by Amagasaki City and BIPROGY
After the incident, Amagasaki City and BIPROGY each established a third-party committee, conducted an investigation, and published a report.
Both reports describe the situation, causes, and recurrence prevention measures in detail from each other’s perspectives.
Although the direct cause of this incident was the loss due to individual carelessness, the root cause was that all parties involved, including Amagasaki City employees and BIPROGY employees, underestimated security risks.
References: [Amagasaki City “About the loss of USB memory containing personal information”](https://www.city.amagasaki.hyogo.jp/kurashi/seikatusien/1027475/1030947.html)
References: [BIPROGY “About the USB memory loss incident”](https://www.biprogy.com/com/info\_security/info202206.html)
3-2. Amagasaki City Claims Damages from BIPROGY
In June 2023, Amagasaki City claimed approximately 29.5 million yen in damages from BIPROGY, and the full amount was paid.
The breakdown includes expenses incurred for the investigation, employee work allowances, and administrative expenses. The incident occurred in June 2022, and it was almost resolved in about a year.
4. Thorough Data Leakage Prevention Measures Based on the Lessons Learned from the USB Memory Loss Incident
The incident was settled with the payment of damages, but what should we learn from this incident? Let’s properly organize data leakage prevention measures so that we don’t cause the same thing to happen to ourselves.
4-1. Do Not Save to USB
USB memory is a convenient tool that allows you to easily copy data between PCs that are not connected to a network. However, the fact that it can be easily copied also means that there is a risk of easy leakage.
The use of USB memory in business should be restricted as much as possible. At the very least, storing personal information or confidential information should be prohibited.
Instead, use secure cloud storage or servers to manage and protect data with strict access right settings.
4-2. Encryption and Password Settings
When transferring data, always encrypt the data and set passwords strictly.
You should also consider using tools that automatically detect and forcibly encrypt personal information and confidential information on your PC to protect your data.
Even if the data is lost or falls into the hands of a third party, various measures should be taken to prevent the information from being decrypted.
4-3. Security Risk Awareness and Caution
It is important to conduct awareness-raising activities on security risks for employees and to call attention to the handling of information.
By formulating security policies and guidelines and thoroughly conducting regular employee training, it is necessary to raise the information security awareness of all employees.
4-4. Use of Data Leakage Prevention Tools
When you have no choice but to use devices such as USB memory or external hard disks, you should consider introducing tools that can directly control the device or DLP (Data Loss Prevention) tools that prevent information leakage.
By detecting the connection of USB memory and performing access control, or automatically setting it to read-only, you can prevent files from being taken out.
Also, using DLP, it is possible to automatically detect and block the removal of specific confidential information or copying to USB.
Summary
The Amagasaki City USB memory loss incident highlighted the seriousness of information leakage.
