Confusing cloud settings cause personal data leak for Japan users

The Yomiuri Shimbun

16:25 JST, May 3, 2021

Platform interface issues in a cloud system provided by a U.S. contractor exposed the personal information stored by dozens of municipalities and companies in Japan to unauthorized viewers, after users mistakenly configured the system’s settings to allow public access to their content.

Local governments and corporate users maintain that they chose the wrong settings due to the overly complicated nature of the system.

Warning that there may be even more companies who have similarly misconfigured their settings with the service, the National center of Incident readiness and Strategy for Cybersecurity (NISC) has asked the U.S. provider to remedy the situation.

Domestic giant affected

The service was provided by U.S.-based IT company Salesforce.com, Inc., whose Japanese subsidiary, Salesforce.com Co., is one of the leading names in cloud storage in Japan.

According to the Internal Affairs and Communications Ministry and the Personal Information Protection Commission, the data of 20 local governments, including the Funabashi and Ibaraki city governments, and 18 companies, including Rakuten Group Inc. and SMBC Nikko Securities Inc., was left accessible to unintended eyes. In all cases, the municipalities and companies had mistakenly set their privacy settings to allow public viewing.

The data of seven cities, including Kobe and Higashi-Murayama, and five companies, including Rakuten and SoftBank Group Corp.’s cashless payment service provider PayPay Corp., were found to have been accessed by outside parties, although it remains unknown whether the personal information was abused after being viewed.

The breaches came to light after PayPay announced in December that the names and contact information of its member store owners had been compromised. Later that month, Rakuten similarly announced that over 1.48 million sets of names and contact information, including those who had requested information on setting up an online shop with the cybermall had been exposed, and confirmed that it had found evidence that at least some of the datasets had been viewed by third-parties.

600-page instructions

Although Salesforce and other cloud computing service providers handle all of the back-end architecture for clients, it is up to the users to configure their privacy settings and access authorizations on the front end.

“It’s not that our company has flaws in our products, but that our clients misconfigured their access authorizations,” said a Salesforce spokesperson.

But the companies and local government offices that contract with Salesforce contend that their service is far from user-friendly.

“Just to identify where the problem was with our settings, we would have to read over 600 pages of instructions,” said an employee at an affected financial institution. “The company needs to provide more support.”

In January, Rakuten issued a statement, saying: “We have continued to ask the system provider for detailed information on specification changes and reconfigurations.”