The Japanese National Pension System was hacked and according to the announcement on Monday, 1.25 million Japanese have been affected by this breach. According to the Japan Times, the breach was due to an employee opening an attachment on an email that contained a virus. The computers that were initially affected by the hack were connected to the fund’s central database which keeps all of the fund’s member information.
What strikes me about the initial report was the level of detail that the Japanese were willing to discuss as to how they were going to fix the problem, and what steps they had taken initially. When companies within the US have a breach, the typical response is just a statement to the press about how they are taking “appropriate actions” to secure customer information blah blah blah. The Japanese Pension system said that they were restricting employee access to the internet, and had removed all infected machines from the corporate network. The officials also said that 500,000 of the 1.25 million cases, that passwords had not been set, which was a violation of the fund’s internal rules. The President of the Japan Pension Service apologized for the leak and said affected people will be given new pension ID numbers.
I understand that this is a rule violation, but the users of the pension system are probably less trained or qualified on computers than the typical 18-25 year population. If they knew that there were 500,000 records without passwords, shouldn’t they have forced passwords to be set by denying access to the funds? This is a very common practice with companies today and is the responsible thing to do. Chase or Bank of America do not let you have a weak or default password, because they have mutual self interest in keeping your money safe. Otherwise they would be held liable in case of theft etc.
Overall the Japanese Pension System responded swiftly, apologized, and took corrective action which most companies could take note from. They did not deny or pass blame, they accepted their role in the situation, and did what they could to make it right. This is an unfortunate circumstance in which consumers were the victims of cyber-crime, yet has some silver linings. American companies could learn more than just a thing or two from the Japanese when it comes to handling a cyber-attack and public relations.