Insiders have stolen a database containing the private details of customers from Japan’s second-largest mobile phone operator. Two of their accomplices, who tried to blackmail KDDI by threatening to reveal the breach before a major shareholder meeting, have been arrested by Tokyo police. According to experts at InfoWatch, KDDI reacted properly to the blackmail threats, but the corporation should have thought of protecting against insider activity earlier.
Blackmailers attempted to extort almost $90,000 from Japan's KDDI, the country’s second-largest phone company, by threatening to reveal a leak of private data belonging to four million customers before a major shareholder meeting. Representatives of KDDI immediately informed the Tokyo police and two suspects have since been detained. The investigation is continuing.
It transpired that the blackmailers did in fact have a database containing the private details of 4 million KDDI customers. The information on the database included the names, sex, birth dates, telephone numbers and e-mail addresses of 4 million people. That kind of information is perfect for carrying out crimes such as identity theft.
According to details from other sources, only those using the corporation’s high-speed Internet service (Dion) were affected by the breach and not mobile phone subscribers. Moreover, the database reportedly contained details of customers who applied for the Internet service before Dec. 18, 2003.
To demonstrate how serious their threats were, the blackmailers left a disk and USB flash drive containing the information at the front desk of the KDDI offices on May 30. The blackmailers said they would reveal the data leak to the press just before a major shareholder meeting. However, the company bosses ignored the criminals’ demands and contacted the law enforcement agencies. For two weeks police monitored the phone calls between the blackmailers and KDDI before arresting two suspects.
Management at the telecommunications firm said that the leak was undoubtedly the work of company insiders. Senior managers are certain that one of their employees copied the private details and removed them from the corporate confines. Over 200 people in KDDI had access to the stolen data.
KDDI announced the leak at a press conference at the close of trading last Tuesday. The company chairman apologized and stated that KDDI would review its policies and methods of protecting against insider activity to prevent similar incidents in the future. As a result of the disclosure, KDDI shares fell 8,000 yen to 661,000 yen – a drop of only 1.2%. Had the company tried to hide the leak, the consequences could have been much more costly, according to experts at InfoWatch.
“KDDI reacted in the right way: immediately contacted the police and ignored the blackmailers. However, the fact that such a large company allowed its most valuable asset to be leaked does not do its image much good. Such a large-scale breach does not only mean a leak of private details from KDDI but also the possibility of an exodus of customers to the company’s rivals. I think that is exactly what would have happened if KDDI had tried to conceal the leak, not to mention the mauling the company would have suffered on the stock markets. Now the company really has to take some steps to protect against insiders,” says Denis Zenkin, marketing director at InfoWatch.
Source: vnunet.com