NTT West: Be Aware of Responsibility for Handling Personal Information

NTT West Corp. has a grave responsibility over failing to protect a vast amount of personal information held by one of its subsidiaries over a long period of time. The company should thoroughly strengthen its personal information management system.

In January this year, a former temporary employee of an NTT West subsidiary was arrested by the police on suspicion of violating the Unfair Competition Prevention Law by copying customer data of another subsidiary onto a USB memory stick, which is a storage medium, and illegally taking it outside.

The leaked personal information amounted to about 9 million items of data. The subsidiary company from which the information was taken had been entrusted with call center operations by other corporations, local governments and other entities. Personal information, including names, addresses and telephone numbers obtained through these operations, was reportedly sold by the former temporary worker to list brokers.

The former temporary worker belonged to a subsidiary that was responsible for maintenance of the customer information management system of the subsidiary from which the information was taken. The information was reportedly taken over a period of about 10 years. Even though its subsidiaries were involved, it is obvious that NTT West’s management system was inadequate.

NTT West President Masaaki Moribayashi has announced his intention to step down at the end of March to take responsibility for the problem. The company said it is unusual for a president to resign over a leak of personal information, but given the poor handling of the situation, his resignation is not surprising.

NTT West conducted an internal investigation in April 2022 after a client company pointed out a suspected leak of information. However, at that time, NTT West failed to detect any wrongdoing and did not review its management system.

According to a report by outside lawyers and other experts who examined the response of NTT West at the time, the initial investigation was entrusted to the subsidiaries involved, which also were the targets of the investigation, with only four people conducting the probe.

In addition, those involved in the internal investigation made false reports, such as stating that the terminals used for relevant work did not have a port for connecting USB memory sticks, when in fact they did, and stating that software for encrypting data had been installed, when in fact it had not.

The leak was later confirmed when the police, after being consulted by a client company of the affected subsidiary, launched an investigation. It was in October 2023 that NTT West made the leak of information public. It is highly likely that its delay in responding amplified the damage.

NTT West left the investigation of a serious leak of personal information entirely to the subsidiaries involved and overlooked the results of the sloppy investigation. The laxity of NTT West’s crisis management is a disgrace.

NTT West intends to spend about ¥10 billion over the next three years to strengthen its system of monitoring for irregularities and for other purposes. It is quite natural for the company to take such action. However, in addition, it must change its mind-set on the significance of personal information. It is hoped that the company will work on this issue with the NTT Group as a whole.

(From The Yomiuri Shimbun, March 6, 2024)