« 社説:武藤議員離党 公認した自民の責任は | トップページ | 露首相択捉訪問 領土交渉に背向ける軽挙妄動 »

2015年8月23日 (日)

年金情報流出 危機感の欠如が被害を広げた

The Yomiuri Shimbun
Low security consciousness at JPS exacerbated pension data breach
年金情報流出 危機感の欠如が被害を広げた

The Japan Pension Service can hardly be regarded as an organization properly handling a massive amount of personal information. Its sloppy information management must be corrected urgently.

An in-house investigation committee at the JPS and a third-party panel at the Health, Labor and Welfare Ministry have released, separately, reports on the findings of each of their investigations into an incident in which 1.25 million cases of personal information, including the basic pension numbers of pension recipients, were compromised at the JPS.

According to the JPS report, the organization received a total of 124 targeted e-mails carrying a virus from May 8 to 20. File attachments of five of the e-mails were opened, causing 31 personal computers to be infected with the virus and information to be compromised within three days from May 21.

There were several opportunities during that period for the JPS to prevent the damage from spreading.

However, the organization failed to block further e-mails from the address used for the first problematic e-mail following its receipt. It did not confirm properly from mail recipients whether they had opened attachments, and delayed action to cut off Internet connections for the entire JPS computer system.

JPS President Toichiro Mizushima said during a news conference Thursday, “I thought we had confirmed whether the attachment had been opened.” The comment is one indication of the lenient attitude within JPS of leaving everything to those in charge. It was natural for the report to say that “a sense of crisis was lacking.”

It is also problematic that sloppy information management has become everyday practice at the JPS.

Personal information was permitted to be stored in an Internet-connected shared file server when deemed necessary. It can thus be said that the JPS faced a constant danger of the unauthorized exposure of information.

Absence of systematic checks

Rules such as setting passwords were not observed and the JPS did not have a system in place to check what was going on.

The report identified that long-standing problems — carried over from the era of the JPS’s predecessor, the Social Insurance Agency — including a lack of unity as an organization, underlie the data breach. At the now defunct SIA, a lack of control was caused by a three-tier structure for employees, including those recruited by the SIA’s central and local offices. This led to a number of scandals, including a huge blunder with pension record-keeping.

Such an organizational culture likely remains pervasive within the JPS. A sweeping organizational reform is called for, in addition to the bolstering of information management systems.

The welfare ministry’s responsibility is also grave in this regard.

According to the report released by the ministry’s third-party investigation panel, adequate supervision could not be provided because it was not clear which department at the ministry was in charge of the JPS’s information systems.

Despite the fact that the JPS had suffered a similar cyber-attack in April, before it received the targeted e-mail in May, the ministry provided no information on the incident nor did it issue an alert.

It was natural for welfare minister Yasuhisa Shiozaki to say, “Both the JPS and the ministry must take responsibility [for the incident].” It is necessary to ensure that a recurrence of similar incidents is robustly prevented, and that work proceeds toward restoring confidence in the pension system.

Joint efforts by private and public sectors are sought to deal with cyber-attacks, which are becoming more ingenious and shrewd.

(From The Yomiuri Shimbun, Aug. 22, 2015)


« 社説:武藤議員離党 公認した自民の責任は | トップページ | 露首相択捉訪問 領土交渉に背向ける軽挙妄動 »





« 社説:武藤議員離党 公認した自民の責任は | トップページ | 露首相択捉訪問 領土交渉に背向ける軽挙妄動 »