Multinational IT giant Fujitsu has announced that it has fallen victim to a malware attack and that the attackers may have leaked personal data and customers' personal information.
Fujitsu said it is conducting a forensic investigation to determine whether any information was leaked. Fujitsu did not specify the nature of the attack or provide any clues as to who was behind the intrusion. The malware used in the attack could not be identified.
Fujitsu stated on its website, “As a result of confirming the presence of malware on several of our company's business computers and conducting an internal investigation, we found that files containing personal information and customer information may be illegally taken out.'' Posted. , as a translation from Japanese.
However, there may be more hidden in this incident than Fujitsu has revealed so far.
Will my personal information be left unprotected?
According to UK-based publication The Stack, based on a report from security researchers at the Netherlands Vulnerability Disclosure Institute, Fujitsu is locking down some AWS private keys, client data, and plaintext passwords for one year. It is said that it was left unprotected. .
Researcher Jelle Ursem told The Stack that the company unknowingly compromised a public Microsoft Azure storage bucket containing backup emails containing sensitive data, passwords obtained from password manager LastPass, and “scores” of Microsoft One Note files. He said that he had made it public.
Such information is coveted by cyber attackers due to its underground black market value.
According to the report, which has not yet been confirmed by other researchers, Mr. Ursem attempted to report his findings to Fujitsu, but was met with bureaucratic responses from the company.
Fujitsu incident response
Following the attack, Fujitsu said it had disconnected affected systems from its network and “taken other measures, including increased monitoring of other business computers.” The company did not say what data may have been stolen or whether it belonged to internal personnel, third-party suppliers or customers.
Fujitsu further said it had reported the incident to Japan's data protection authority, the Personal Protection Commission.
The company said, “In addition to reporting the incident individually to the affected individuals and customers, we also reported to the Personal Information Protection Commission in anticipation of the possibility that personal information may have been leaked.'' “To date, we have not received any reports that personal information or information about our customers has been misused.”
It is unclear whether Fujitsu has submitted the required data breach information to other regulatory bodies, including U.S. authorities.
Ilya Sotnikov, security strategist and vice president of user experience at Netwrix, a data security and compliance company, offered his thoughts on Fujitsu's approach to post-incident information disclosure.
“Decisions about when and how much to disclose often depend on an organization's culture. Some organizations prefer to know the scope and details of an incident before reporting anything to avoid misunderstandings. We will wait for certainty.”
“Other companies, such as Fujitsu, have taken a more proactive approach, notifying potentially affected customers that their personal information may be at risk of being misused,” Sotnikov said. said. “Breach notification rules in various jurisdictions are becoming increasingly strict, and encouraging companies to share information early will ensure that both authorities and affected parties are aware sooner and reduce risk. The aim is to enable them to make their own informed decisions.”
This cybersecurity event is the second time Fujitsu has been hacked in the past three years. In May 2021, hackers exploited the company's ProjectWEB information sharing technology to leak approximately 76,000 email addresses and sensitive information in a breach of numerous Japanese government networks.
Fujitsu has approximately 124,000 employees and sells to customers in approximately 50 countries and territories. Our customer lineup includes government agencies and major corporations. At last count, the 89-year-old company will have sales of $25 billion in 2023.