TOKYO -- A massive information security breach at Japan's pension service deals a blow to an institution that has struggled to regain credibility after past scandals.
Some 1.25 million names and pension identification numbers, some accompanied by dates of birth and addresses, were leaked as a result of a cyberattack, the Japan Pension Service said Monday.
The institution fell prey to an email-borne virus, but mistakes before and after the fact exacerbated the damage.
Unauthorized access of computer networks at government-affiliated bodies is hardly unusual in Japan. In March of last year, for instance, the leak of some 330 email addresses and other pieces of information occurred at the Building Research Institute. But the pension data leak was bigger than any in memory, according to the Cabinet Secretariat.
The pension service says it uses virus detection software. Yet a virus lurking in a file disguised as a seminar invitation was somehow able to penetrate this barrier, infecting the computers of at least two employees. Entire files appear to have been swiped from a shared server accessible through a local area network.
The pension service "was not able to prevent a malicious attack," Welfare Minister Yasuhisa Shiozaki acknowledged at a news conference.
What happened next seems to have made matters worse. After the initial infection was detected on May 8, the pension service isolated the compromised computer and warned employees not to open attachments to suspicious emails. But this advice went unheeded by some. Another employee received the email and opened the file. Only on May 19 did the pension service ask Tokyo police to investigate; by then, its network had been infiltrated multiple times. A swifter response would likely have limited the loss of data.
Other missteps came before the breach. Internal rules require the use of passwords to safeguard personal information. But some 550,000 of the 1.25 million leaked names and ID numbers lacked password protection, the institution admitted.
Established in 2010, the Japan Pension Service was supposed to represent a break from past mismanagement. Its disgraced forerunner, the Social Insurance Agency, left millions of Japanese who paid into the pension system unaccounted for and let employees peep into personal information. The pension service handles sensitive information, including standard monthly benefits, which give an indication of a person's income. Successive governments have tried to restore public trust in the system, but Prime Minister Shinzo Abe's cabinet will bear the black eye for the latest scandal.
Abe may be feeling an uncomfortable sense of deja vu. During his first stint as prime minister, the Social Insurance Agency was found to be missing some 50 million pension records. The public outcry hurt his cabinet's approval rating and contributed to the ruling Liberal Democratic Party's defeat in the 2007 upper house election.