[BreachExchange] Japanese electronic components manufacturer Murata apologizes for breach of employee and customer data

[Sophia Kingsbury]

https://www.zdnet.com/article/japanese-electronic-components-manufacturer-murata-apologizes-for-breach-of-employee-and-customer-data/

An official with Japanese electronic components manufacturer Murata has
released an apology for the leak of thousands of files in June that
contained bank account information for employees and business partners of
the company.

Norio Nakajima, CEO of Murata Manufacturing, released a statement
apologizing for an incident on June 28 when a subcontractor downloaded a
project management data file containing 72,460 pieces of information.

More than 30,000 documents contained business partner information like
company name, address, associated names, phone numbers, email addresses and
bank account numbers. The companies are based in Japan, China, Philippines,
Malaysia, Singapore, the US and EU but the enterprises "subject to customer
information are only China and the Philippines."

Over 41,00 documents about employees were in the leak as well, similarly
containing names, addresses and bank account numbers. The employees were
based in the company's offices in Japan, China, Philippines, Singapore, the
US and EU.

"On July 20, 2021, it was confirmed that an employee downloaded the project
management data including our business partner information and personal
information to a business computer without permission and uploaded it to
the personal account of an external cloud service in China," Nakajima said
in a statement, adding that there is evidence that no one other than the
subcontractor accessed the data.

"In addition, we have received reports from a survey of external cloud
service providers that it was confirmed that the information taken out was
never copied or downloaded by a third party. The uploaded data has already
been deleted from the business PC and external cloud storage service. No
virus infection or cyber attack has been confirmed in this matter."

Nakajima goes on to explain that the unnamed subcontractor was involved in
the company's accounting system update project.

The notice included a timeline that tracked the incident from its inception
on June 28 through its verification in August. Two days after the
subcontractor downloaded the files, the company got a security alert and by
July 4, their security team had confirmed what happened.

The company said it interviewed the subcontractor on July 8, who admitted
to downloading the information and then uploading it to a private cloud
account.

"On the same day, the uploaded data was deleted under the supervision of
the subcontractor," Nakajima said.

By August, the company internally confirmed what happened and had an
outside security firm also take a look at the situation.

Japanese news outlet ITMedia spoke to the subcontractor, who said, "I was
uploading my know-how to a personal cloud and organizing it in order to
learn system design, etc. It happened to contain sensitive information
about customers."

A Japanese blog confirmed that the subcontractor was an engineer for IBM
Dalian Global Delivery, a subcontractor of IBM China. Murata's accounting
system update project was outsourced to IBM Japan, which subcontracted it
to IBM China. The system is used to pay both employees and partners.

Murata told ITMedia that it was considering cancelling the contract and
potentially seeking damages.

Murata dominates the research, production and sale of electronic devices
made from fine ceramics. With over 70,000 employees, it plans to bring in
more than $2 billion this year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210812/17affd23/attachment.html>