2021.01.18
January 18, 2021
To whom it may concern,
Marubeni Power & Infrastructure Systems Corporation
Ken Muroie, President
Apology and Announcement Regarding the Possible Leakage of Information
Due to Unauthorized Access
We, Marubeni Power & Infrastructure Systems Corporation (the “Company”) have found a possible leakage of certain data stored in the file server that we had been using (hereinafter referred to as “the Server”) due to unauthorized access by external parties to the Server.
We, hereby, report the known facts and the actions taken by the Company in response to this matter, as follows.
Summary
1. Outline of the unauthorized access
(1) Causes
Unauthorized access through an external attack on the vulnerability of the Server.
(2) Background
On July 3, 2020, having detected an abnormality on the Server, the Server as well as all external access were immediately shut down.
Subsequently, a survey by a specialized security company revealed traces of unauthorized access by external parties starting from around June 30, 2020. Although details could not be confirmed, judging from the communication volume of the unauthorized access, the Company determined the existence of possible leakage of certain data stored in the Server (Approximately several hundred megabytes of data out of the approximately 3.0 terabytes of data stored in the Server).
(3) Data that had been stored in the Server
The Server which was subject to the unauthorized access contained data including the following.
a. Individual Number (My Number) informationof 132 persons, including employees and certain members of their families who were registered as employees of the Company in 2018, and employees who retired from or joined the Company (including ex-employees) in and after 2018
b. Account information of financial institutions of 117 persons who were registered as employees of the Company in and after 2018
c. Employee information of 256 persons who were registered as employees of the Company (including former employees and seconded employees) in and after 2018
Age, birth dates, academic background, health insurance numbers, etc.
d. 2,107 new graduate candidates for employment from 2019 to 2021 (including graduating students) and 810 mid-career employment candidates from 2019 to 2021
Names, addresses, birth dates, telephone numbers, e-mail addresses, etc. on the resumes and entry sheets
e. Address lists for 375 employees of the Power Business Division, Marubeni Corporation (hereinafter referred to as “Marubeni”) and the Company in and after 2008
f. 1,027 contact persons of customers/suppliers who received greeting messages from the Company in and after 2011
Names, names of companies, positions, telephone numbers, etc.
g. 241 contact persons of customers/suppliers for whom the Company made VISA applications
Names, passport numbers, birth dates, etc.
2. Actions taken in response by the Company
(1) Report, etc. to the Personal Information Protection Commission
We completed reports to the Personal Information Protection Commission on July 31 and October 1, 2020. On August 7, 2020, we also reported such damage to the district police station (Chuo Police Station, Metropolitan Police Department), which received the report as a criminal complaint.
(2) Actions to prevent the recurrence of this incident
To prevent unauthorized access to the Server, we abolished the system in which the existing vulnerability was found, and replaced the previous system with a more secure system. We will continue to make efforts to heighten our security measures in collaboration with Marubeni, the parent company, and the external specialized security company.
(3) Individual notices
We have been making individual notifications to persons who were subject to possible leakage of Individual Number (My Number) information and bank account information by recommending changes of Individual Numbers (My Numbers) and bank accounts, among other measures, considering the nature of the information involved.
3. Current status
Currently, no suspicious access has been detected in the new system. We also have not received any reports of further damage including the malicious use of the information that was possibly leaked.
4. Request to all parties involved
Although at present, no further damage has been confirmed, persons subject to possible information leakage may receive spoofed emails impersonating the Company and other suspicious contacts in the future. Such persons are asked to be especially wary of these contacts.
Going forward, if you receive a suspicious email impersonating the Company with a file-attachment, you are asked to never, under any circumstances, open such file, or access the URL, etc. stated on the email, and to notify us at the contact indicated below.
The Company will continue to take the necessary actions to prevent any further damages and such incidents from recurring by coordinating with Marubeni and the relevant authorities.
Contact regarding this matter:
Personnel & General Affairs Dept.
Marubeni Power & Infrastructure Systems Corporation
E-mail:MPSC-MADOGUCHI@marubeni-mpsc.com
End of document