Risk awareness in handling highly confidential data is seriously lacking

The personal information of every resident was in danger of being leaked. It must be said that awareness was sorely lacking regarding the handling of highly confidential information.

A man working on a project for a systems company that had a contract with the Amagasaki municipal government in Hyogo Prefecture, involving the provision of benefits related to coronavirus control measures, lost USB memory sticks containing information on about 460,000 citizens.

The worker transferred the information to USB sticks as part of work to set up a call center to respond to residents’ inquiries about the benefits. After taking the USB sticks with him, he reportedly got seriously drunk at an izakaya pub and lost the sticks.

In addition to names and addresses, the USB sticks contained bank account information on households receiving public assistance, among other data. The USBs were found and returned two days later. However, if the information had been leaked and fallen into the wrong hands, it could have been used in bank transfer scams or other crimes. The harm would have been irreparable.

The systems company’s responsibility is extremely grave. In violation of its contract with the city government, the company repeatedly outsourced the work of setting up the call center to subcontractors and even a sub-subcontractor. The man who lost the USB sticks was an employee of the sub-subcontractor, and the city said it had been unaware of the fact.

After the call center was established, the employee was supposed to delete the data, but the systems company failed to confirm whether he actually did so.

There are also many problems with the city’s response. When the man loaded the information onto the USBs, no one else was present, meaning that he carried out the data transfer without permission. He had been in charge of managing the city’s systems for about 20 years and was in a position to know the IDs and passwords needed to retrieve the data.

The city may have had a cozy relationship with the systems company, as they had known each other for a long time, and the local government may have left all the work entirely to its outsider’s discretion. The city government said it is considering seeking damages from the systems company. However, it must clarify the cause and where the responsibility lies.

In response to the incident, the Internal Affairs and Communications Ministry has issued a notice to local governments across the country urging them to take thorough safety measures when asking outside service providers to handle their information.

Many local governments use USB sticks to transfer information. Some local government officials themselves are in charge of transferring information without entrusting it to outside operators. To prevent a similar situation from occurring, local governments should review how they handle information.

The central government also needs to support local governments such as by dispatching personnel who are familiar with information security and providing training sessions for that purpose.

The coronavirus pandemic has highlighted the issue of information sharing between the central and local governments not proceeding smoothly. Unless officials develop risk awareness and recognize the importance of safety measures, it will be extremely difficult to realize such information sharing.

(From The Yomiuri Shimbun, June 29, 2022)