TOKYO -- The recent data breach at Japanese education company Benesse underscores the need for improved oversight of digitized customer data, which can be easily stolen by an unscrupulous contractor.
Benesse Holdings Chairman and Chief Executive Officer Eikoh Harada apologized for the breach, which likely compromised 100 million pieces of customer data, at a news conference Thursday evening. "We must reflect sincerely on our security measures," he said.
The suspect, Masaomi Matsuzaki, was a systems engineer at a company subcontracted to manage and maintain Benesse's customer information database. He used his access rights to illegally copy the data.
The room containing the database terminal was closely guarded against outside intrusion, with a camera set up to constantly monitor the entrance. The terminal itself was set up to display an error message if an unapproved storage medium was connected.
But the smartphone used to download the data was an advanced model able to evade this measure -- a vulnerability that Matsuzaki exploited.
With more companies outsourcing maintenance of their electronic customer databases, such security breaches by contractors show no signs of stopping.
Even if contractors sign nondisclosure agreements, it's difficult to get it across to individual employees, points out Kei Umebayashi at law firm Nishimura & Asahi.
"At a site where people in various positions such as contractors and subcontractors go in and out, it's hard to detect misuse," admits a source at a database management company.
One factor behind the distribution of leaked customer data is a law fully implemented in 2005 that made it more difficult to acquire information from Japan's resident registry.
Much of the Benesse data dates from 2006 or later. Buying or selling stolen personal data is prohibited, so data brokers might have thrown doubt on how it was acquired. But if they claim they did not know that it was stolen, it is difficult to prove otherwise, making it impossible to control the flow of data once it has been leaked.
Companies "have to enter nondisclosure agreements with individual employees, including those at contractors, and make it clear that there are penalties if they are violated, such as paying compensation for losses," Umebayashi says, stressing the need for stronger oversight.
In response to the breach, Benesse has laid out measures to prevent a recurrence, including a review of the oversight framework and access rights granted to employees.
"The ones who buy and use the data have to think more about compliance, including confirming where the information came from," says a source close to the Benesse investigation.