Sloppy password-less security left 1.25 million Japanese pension records exposed

Sloppy password-less security left 1.25 million Japanese pension records exposed

Many industries have regulations to oversee that personal data is being handled properly, and not unnecessarily put at risk by inadequate security measures.

That’s the case, for instance, with Japan’s national pension agency – which stores a wealth of personal information, including individuals’ names, pension identification numbers, addresses and dates of birth. After all, if that information were to fall into the hands of criminals, it’s easy to imagine how fraudsters could abuse it for the purposes of identity theft.

The issue of defending pension services from hackers is a particularly hot topic in Japan, which has a significant ageing population. Indeed, a scandal involving pension record data resulted in Prime Minister Shinzo Abe losing a parliamentary election in 2007.

Sign up to our free newsletter.
Security news, advice, and tips.

So, you would expect the security of the Japanese pensions system to be a priority for those in power.

And yet, despite the rules and regulations, hackers have hit Japan’s pension system and made off with over 1.2 million records containing personally identifiable information.

Toichiro Mizhushima, president of the Japan Pension Service, apologised for the data breach, explaining that it occurred after an attacker targeted staff computers with a malware-laced email. The hot story of the data leak rapidly became the top story on TV news reports.

So far, so bad. But it gets worse.

Because an investigation into the hack has reportedly revealed that 99% of the files accessed by the hackers were not properly password-protected.

According to the Japan Times, multiple reports have been filed with regulators since 2013 claiming that sensitive pension databases held at 395 offices complied with regulations that stipulate personal information “should not be stored in shared folders in environments that connect to the internet, and that if exceptions were made the files should be password-protected.”

“However, the sources said that pension offices did, in fact, store files in shared folders, for the purpose of creating notices for individuals who were behind in payments and for other tasks, and regularly used these folders on computers that were connected to the Internet.”

However, sources have told the media that “almost none of the files that were accessed had been protected by passwords.”

The revelation is a big concern for those responsible for Japan’s Pension Service.

Health minister Yasuhisa Shiozaki blamed staff for the risky behaviour: ““Files that should have had passwords did not. The low level of awareness [among JPS staff] is a big problem.”

And an official for the pension service’s general affairs office said they had taken the compliance reports at face value:

“We accepted reports from on the ground as accurate. It’s possible that reports of full compliance were lies.”

All organisations could learn from this debacle: trust, but verify.

This article originally appeared on the Optimal Security blog.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.