A massive data breach at Japan’s largest travel agency has underscored the risks companies face when they keep sensitive data on networks connected to the internet, experts say. Some warn government systems are especially vulnerable to state-sponsored attack, including by China and North Korea.
JTB Corp. said Tuesday hackers may have obtained the passport details and other records of 7.93 million customers after a subsidiary’s server was hacked in April.
On Wednesday, the government-backed Japan Tourism Agency faulted JTB for keeping personal information on a machine reachable from the global internet.
Japanese firms and government agencies should consider isolating their networks, said Vitaly Kamluk, Principal Security Researcher at Kaspersky Lab in Singapore.
“We have reported many cyberattacks against Japan, including those which targeted defense contractors and government,” Kamluk said.
“One approach to tighten up defense is to segregate networks and to isolate state computers from the rest of the world.”
Singapore will cut internet access to the computers of all government employees from May next year, the nation’s prime minister said last week.
The extent of Singapore’s switching off is unclear but an extreme version is banning people from using memory sticks as well as removing the internet connection. Outside attackers need considerable effort to extract data from such computers, although they are less usable for daily tasks.
Investigative sources in the JTB case told Kyodo News on Thursday the breach began when a worker opened a virus-infected email attachment that purported to be a booking request sent by All Nippon Airways Co.
Cybersecurity experts in Japan have praised efforts by the Information-technology Promotion Agency to tighten safeguards. It has recently issued guidelines on password security and begun to issue regulations that companies must adhere to.
“These are great steps,” said Paul S. Ziegler, CEO of Tokyo-based cybersecurity firm Reflare. “Most of it is happening in the context of the 2020 Olympics, where Japan wants to be prepared, so companies are picking up on that.
“While most of them still don’t understand what security is, and they cannot be blamed for that because security is a very complex field, what they do understand is compliance and regulations.”
While regulatory restrictions cannot ensure total security, some analysts say stronger rules could reduce flat-footedness by companies when they fall victim.
Education services company Benesse Corp. failed to notice when an insider began copying millions of customer records to his smartphone. The 2014 incident, which affected almost 29 million people, was Japan’s largest reported data breach.
And in the JTB case, the travel agency discovered the break-in on April 1 but waited two months to announce it.
“Reporting guidelines are weak. They’re vague. We now have some in Japan, but it’s an evolving concept,” Ziegler said.
Meanwhile, a cyberintrusion into the computers of the U.S. Democratic National Convention, announced Tuesday, has thrown a new focus on the threat from state-sponsored attacks.
Two apparently rival hacking teams were identified in the breach, both believed to be based in Russia.
“The fact that two known, Russian-speaking cyberespionage groups were found in the network of one organization is particularly intriguing,” said Costin Raiu, director of Kaspersky Lab’s global research team in Moscow.
“The CozyDuke and Sofacy groups are both considered to be nation-state sponsored, and the fact that they’re both hunting for data in the same network may indicate that there is an element of competition between them.”
Ziegler said Japan should be especially alert to attacks of this kind because of animosity from its neighbors.
“Japan faces unique threats coming from North Korea and China, which usually would only target Europe for industrial espionage, but which have cultural or historical reasons to target Japan for more complex attacks,” he said.