Multiple municipalities reported data breaches involving photos and names of children following a wave of cyberattacks targeting yearbook publishers.
The attacks have shaken an industry that handles highly sensitive content but generally lacks robust cybersecurity protections.
One of the largest breaches involved Saito Collotype Printing, a century-old company based in Sendai. On April 11, the company reported a potential data leak involving yearbooks from the 2023 academic year.
The incident compromised up to 173,000 records across 2,000 schools in at least 20 prefectures. Areas affected included Hokkaido, Tokyo and Osaka.
Another major player, Ishikura Co., based in Saitama, north of Tokyo, disclosed on March 4 that its servers had also been compromised.
The company said more than 72,000 entries, children’s photos and names from 13 prefectures, were exposed.
Some data became unusable due to the attack, which involved ransomware, a malicious software that encrypts data and demands payment for its release.
DEEPFAKE, IDENTITY THEFT
Experts fear that leaked data could be used for deepfake images, identity theft or social media impersonation.
“Yearbook photos could be misused to create deepfake pornography. The thought crossed my mind immediately,” said Sumire Nagamori, head of the cybersecurity watchdog Hiiragi Net.
According to Nagamori, online communities are already sharing yearbook photos and offering editing services, often with illicit or sexually exploitative intent.
“With both names and faces exposed, individuals can be easily identified and targeted,” she added. “People need to recognize that yearbooks contain highly sensitive personal information.”
Tetsutaro Uehara, a professor at Ritsumeikan University in Kyoto who specializes in information security, emphasized that children’s personal information also holds significant value for marketing purposes.
SMALL BUSINESSES, BIG RISKS
The targeted companies are typically small to medium-sized enterprises, many of which lack sophisticated cybersecurity systems.
“Malware often enters through routine data exchanges with clients,” Uehara said in calling for an industry-wide shift in security mindset.
Although the education ministry has issued general guidelines on school cybersecurity, no specific protocols exist for outsourcing to external vendors such as yearbook publishers.
This has left many schools unprepared to evaluate digital security risks in their partnerships.
Sendai’s board of education acknowledged that, even when security protocols are provided, school officials often struggle to fully understand the technical details.
Nevertheless, the board has committed to making schools accountable for safeguarding data, particularly when their partners share student information with subcontractors or dispose of physical media containing personal details.
The city experienced data breaches potentially affecting 27 of its municipal schools.
In Sapporo, where up to 100 schools may be affected, officials believe that some contracts were carried out based on outdated practices, without proper risk reassessments.
SCHOOLS NEED EDUCATING, TOO
Uehara called on schools to prioritize security over cost when selecting yearbook producers.
“Even if assessing a contractor’s cybersecurity is challenging, it’s something parents expect. Schools need to educate themselves to stay ahead of current threats,” he said.
In response to the growing crisis, education minister Toshiko Abe called on local governments to advise and guide schools on managing personal information.
She also announced plans to remind prefectural officials of the importance of data protection during upcoming briefings.
(This article was written by Yunisu Mahar and Akihito Ogawa.)
