Apology and Announcement Regarding the Possible Leakage of Information Due to Unauthorized Access

2021.01.18

　　　　　　　　　　　　　　　　January 18, 2021

To whom it may concern,

Marubeni Power & Infrastructure Systems Corporation

Ken Muroie, President

Apology and Announcement Regarding the Possible Leakage of Information

Due to Unauthorized Access

 We, Marubeni Power & Infrastructure Systems Corporation (the “Company”) have found a possible leakage of certain data stored in the file server that we had been using (hereinafter referred to as “the Server”) due to unauthorized access by external parties to the Server.

 We would like to express our sincerest apologies to all parties concerned for the immense inconvenience and concerns caused by this incident.

 We, hereby, report the known facts and the actions taken by the Company in response to this matter, as follows.

Summary

1. Outline of the unauthorized access

(1) Causes

 Unauthorized access through an external attack on the vulnerability of the Server.

(2) Background

 On July 3, 2020, having detected an abnormality on the Server, the Server as well as all external access were immediately shut down.

 Subsequently, a survey by a specialized security company revealed traces of unauthorized access by external parties starting from around June 30, 2020. Although details could not be confirmed, judging from the communication volume of the unauthorized access, the Company determined the existence of possible leakage of certain data stored in the Server (Approximately several hundred megabytes of data out of the approximately 3.0 terabytes of data stored in the Server).

(3) Data that had been stored in the Server

 The Server which was subject to the unauthorized access contained data including the following.

a. Individual Number (My Number) informationof 132 persons, including employees and certain members of their families who were registered as employees of the Company in 2018, and employees who retired from or joined the Company (including ex-employees) in and after 2018

b. Account information of financial institutions of 117 persons who were registered as employees of the Company in and after 2018

c. Employee information of 256 persons who were registered as employees of the Company (including former employees and seconded employees) in and after 2018

Age, birth dates, academic background, health insurance numbers, etc.

d. 2,107 new graduate candidates for employment from 2019 to 2021 (including graduating students) and 810 mid-career employment candidates from 2019 to 2021

Names, addresses, birth dates, telephone numbers, e-mail addresses, etc. on the resumes and entry sheets

e. Address lists for 375 employees of the Power Business Division, Marubeni Corporation (hereinafter referred to as “Marubeni”) and the Company in and after 2008

f. 1,027 contact persons of customers/suppliers who received greeting messages from the Company in and after 2011

Names, names of companies, positions, telephone numbers, etc.

g. 241 contact persons of customers/suppliers for whom the Company made VISA applications

Names, passport numbers, birth dates, etc.

2. Actions taken in response by the Company

(1) Report, etc. to the Personal Information Protection Commission

 We completed reports to the Personal Information Protection Commission on July 31 and October 1, 2020. On August 7, 2020, we also reported such damage to the district police station (Chuo Police Station, Metropolitan Police Department), which received the report as a criminal complaint.

(2) Actions to prevent the recurrence of this incident

 To prevent unauthorized access to the Server, we abolished the system in which the existing vulnerability was found, and replaced the previous system with a more secure system. We will continue to make efforts to heighten our security measures in collaboration with Marubeni, the parent company, and the external specialized security company.

(3) Individual notices

  We have been making individual notifications to persons who were subject to possible leakage of Individual Number (My Number) information and bank account information by recommending changes of Individual Numbers (My Numbers) and bank accounts, among other measures, considering the nature of the information involved.

3. Current status

 Currently, no suspicious access has been detected in the new system. We also have not received any reports of further damage including the malicious use of the information that was possibly leaked.

4. Request to all parties involved

 Although at present, no further damage has been confirmed, persons subject to possible information leakage may receive spoofed emails impersonating the Company and other suspicious contacts in the future. Such persons are asked to be especially wary of these contacts.

Going forward, if you receive a suspicious email impersonating the Company with a file-attachment, you are asked to never, under any circumstances, open such file, or access the URL, etc. stated on the email, and to notify us at the contact indicated below.

 The Company will continue to take the necessary actions to prevent any further damages and such incidents from recurring by coordinating with Marubeni and the relevant authorities.

Contact regarding this matter:

Personnel & General Affairs Dept.

Marubeni Power & Infrastructure Systems Corporation

E-mail：MPSC-MADOGUCHI@marubeni-mpsc.com

End of document