Loss of USB Flash Drive with Personal Details about Temporary Special Benefit Payments to Local Resident-tax-exempt Households
June 24, 2022
We hereby extend our deepest apologies to Amagasaki residents and parties concerned for any significant anxieties and concerns caused by the loss of material information which Amagasaki City entrusted us with.
We announce below the sequence of events as we know at this point in time, our issue awareness, our responses and preventive measures against recurrence.
We have positioned ensuring information security and protecting personal information as our material issues. We have maintained and operated our arrangements for information management, and we have conducted training and provided guidance to all executives and employees of our subcontractors as well as our group companies.
We of the entire company take this incident seriously. We will ensure that our management arrangements will be operated without fail, be revised and be improved. Furthermore, we will ensure again that our subcontractors as well as all executives and employees will receive our training and guidance in order to prevent recurrence.
1.Sequence of Events
June 16 10:30-11:30
We reported at a weekly regular meeting that we would update data at a call center (the Kyufukin Call Center) (in Suita City) on June 21. We were approved.
June 21 17:00
An employee of our subcontractor company (hereinafter referred to the ‘Person’) transferred data onto a USB flash drive at the Shisei Joho Center (the municipal administration information center) of Amagasaki City. The Person went to the call center.
18:00
The Person met two employees of our Company and one employee of our subcontractor at the call center. They were four in total.
18:00-19:30
The party conducted work of updating data at the call center.
19:30-22:30
The four people dined out after work.
22:30
It is confirmed that the Person held his bag when the party left a restaurant.
June 22 03:00
When the Person woke up after having fallen asleep on the street, he was aware that his bag was gone. He walked back home.
09:00
The Person communicated to the Company that he would take a day off, without reporting on the loss of his bag.
The Person went out again and searched the area for his bag, but in vain. He filed a lost property report with the Suita Police.
14:00
The Person communicated to the Company that he lost his bag.
14:30
The Company communicated to the Person. The Company confirmed with the Person that the bag contained the USB flash drive, and the flash drive contained data on residents.
14:30-15:45
The Company confirmed with the people in charge of the work the situations and facts.
15:45
The Company reported the incident to Amagasaki City (the Joho Seisaku Ka/ the information policies section of the Gyohsei Hohmu Bu/ the administrative legal affairs department).
16:00
The Company researched the quantity of resident data.
The Company reported the quantity to Amagasaki City (the information policies section of the administrative legal affairs department).
June 22 21:00
The Company reported on the Sequence of Events described above as well as the correct quantity during an interview by Amagasaki City (the administrative legal affairs department).
June 23 09:00-11:30
The Company employees searched for the bag, but they could not find it.
June 23 11:00-
Amagasaki City held a press conference.
June 23 12:00-
The Company held a joint press conference with Amagasaki City at the request of Amagasaki City.
June 23 13:30-
The mayor of Amagasaki City held a regular press conference including a question and answer session.
2.Reason for Taking out the USB Flash Drive and Data Contained in It
The Person transferred the latest data in the Benefit server at the Shisei Joho Center (the municipal administration information center) onto a USB flash drive in order to update data at the call center. And, the Person conveyed the USB flash drive.
The flash drive was protected by encryption and robust password settings. The data contained in the USB flash drive was encrypted in order to avoid any direct view.
The USB flash drive contained the personal data listed below.
[Personal Data Contained in the USB Flash Drive]
(the same as indicated in the material published on June 23 by Amagasaki City)
Data in the Basic Resident Register about all residents (460,517 people)
=> unified code, name, postal code, address, date of birth, gender, date when the person is registered as a resident, etc.
Tax data of all residents (360,573 pieces)
=> unified code, inhabitant tax on per capita basis
Data of households subject to temporary special benefit payment such as tax-exempt households
(74,767 households for the fiscal year of 2021 or Reiwa 3
7,949 households for the fiscal year of 2022 or Reiwa 4)
=> unified code of household head, application form number, application acceptance date, reasons for undelivered application form, bank transfer finish processing date, etc.
Account data of households on welfare and households receiving child rearing allowance
(Households on welfare: 16,765 pieces
households receiving child rearing allowance: 69,261 pieces)
=> unified code, financial institution code, branch office code, account category, account number, account holder
3.The Issues
We will continue to confirm, analyze and improve the situations in the future.
We recognized that we have not prepared operation manuals in compliance with our company’s information security rules and have not confirmed with Amagasaki City. We are aware of the specific four key points below.
-
Insufficient respect for an approval process that should be followed in order to take out and carry data
A briefing was given at the regular weekly meeting on June 16 on taking out and carrying data for updating data at the call center. However, specific methods and electronic media for carrying data were not mentioned. As a result, Amagasaki City was not aware of conveying data via a USB flash drive.
-
Issue about means for carrying data
The data should have been carried through the use of transportation means such as security-assured delivery services operated by transport companies. Instead, the USB flash drive that contained the personal data was carried by one person.
-
Erasure of data in the USB flash drive after work
The data contained in the USB flash drive should have been erased after finishing the task of updating data at the call center. No manuals to be complied with existed. No instructions about erasing data was given to the Person or operator. No confirmations were made with the Person or operator.
-
Safekeeping the USB flash drive after work
The USB flash drive should have been safekept at a specified place of storage after work at the call center. In this regard, no instructions were given and no confirmations were made. The Person dined out with the USB flash drive containing the data. In the end, the bag that contained the USB flash drive was lost.
4.Responses (the Current Situations)
The Company is making the responses below in order to find the missing bag as soon as possible.
1. Search the area by the Company’s employees
The Company employees have been making all-out efforts to search the area since June 23.
2. File a report with the Police
A lost property report was filed with the police office concerned on June 22.
3. Confirm the mobile phone location with a mobile phone company
A mobile phone company was asked to confirm the location of a personal mobile phone contained in the bag on June 22. We have been continuing the confirmation.
4. Monitor the dark web situations
The Company will begin to monitor dark web websites situations this afternoon in order to detect any signs of leakage of the personal data.
5. Report to Personal Information Protection Commission
The Company reported the incident to the Personal Information Protection Commission.
5.Preventive Measures against Recurrence
We are prepared to endeavor to prevent the incident from recurring by ensuring the implementation of the measures below.
1. [Management Arrangements]
Strengthen management arrangements and ensure to keep every person informed again of our security policies
We will assign senior executives as managers for customers’ confidential information who provide additional supervision and strengthen the current management arrangements. In addition, we will revisit the operation procedures, identify shortages and improve the procedures pursuant to the security policies of Amagasaki City. We will report the improved operation procedures to Amagasaki City. Upon approval from Amagasaki City, we will thoroughly inform our employees and employees of our subcontractor of, and ensure them to comply with the improved procedures fully.
2. [Operations]
Fully comply with rules about taking out and carrying data
We will ban data from being taken out and carried in principle.
If data needs to be taken out and carried due to business requirements, we will comply with the basic principle of ‘bare minimum in minimal time’. We will follow the rules below without fail after checking our operation procedures.
- We will ensure without fail that our project manager will apply to and receive approval from Amagasaki City in a written form (where purposes, date and time, transfer methods, storage information, etc. are described) before data will be taken out and carried.
- The Company will ensure without fail that data will be taken out in the presence of Amagasaki City officers. The Company will also ensure that data will be carried together with Amagasaki City officers or data will be carried through the use of security-assured delivery services operated by transport companies.
- The Company will ensure without fail that data will be erased from a separate device by multiple persons and Amagasaki City officers will confirm the result.
3. [Training]
Ensure again that the project members and our subcontractors receive training and guidance
We will ensure without fail that we will provide training and guidance to the project members. We will strengthen training and guidance contents in light of handling customers’ data in order to develop a strong sense of responsibility and a keen awareness about handling customers’ data.
Furthermore, we will ensure again that all executives and employees of the Company and our subcontractors will receive training and guidance about information security.
For inquiries, please use an inquiry form in the page below: