Tokyo police Thursday arrested a former acting manager at a brokerage who was fired for stealing personal data on nearly 1.5 million customers and selling some of the information to mailing list companies. Hideaki Kubo, 44, a former acting manager at Mitsubishi UFJ Securities Co.'s systems department, has admitted to the allegations of theft and illegal computer access, police said.
The Financial Services Agency on Thursday issued two orders against Mitsubishi UFJ Securities. One was a business improvement order based on the Financial Instruments and Exchange Law and the other was a recommendation based on the law on protection of personal information.
Police said they will investigate the sloppy handling of information at the company. According to police, Kubo used the ID of a female employee under contract at a subsidiary to illegally access the customer database Jan. 26. The woman had been transferred to a different department in December, but her clearance for the database was not revoked. Using her ID, Kubo retrieved data on 1.48 million customers--Mitsubishi UFJ Securities' entire clientele--and stored encrypted names, addresses, phone numbers and income amounts in the company's server, police said.
On Feb. 4, Kubo instructed a male dispatch worker to copy the information onto a compact disc taken from office supplies, pretending the task was part of official work, they said. Kubo took the CD home and used his personal computer to relay information on about 50,000 customers to three mailing list companies. He collected about 328,000 yen, police said.
Mitsubishi UFJ Securities fired Kubo in April over the information leak, but by then, the damage had spread. The personal data has now reached 98 companies, and Mitsubishi UFJ Securities had received about 15,000 inquiries and complaints as of Tuesday, officials said. The victims continue to receive telephone calls urging them to invest in real estate and financial products, they said.
Mitsubishi UFJ Securities has provided gift certificates worth 10,000 yen to each of the 50,000 victims, costing the company 500 million yen. "We greatly regret and deeply apologize for causing so much trouble and concerns to our customers. We will continue to cooperate with the investigation to prevent the further spread of damage," a public relations official at Mitsubishi UFJ Securities said.
According to police, Kubo was in a position to know the IDs of about 300 employees with access to the customer database.
Violators of the Law on the Prohibition of Unauthorized Computer Access face a maximum of one year in prison or a fine of up to 500,000 yen.
Police will also seek a theft charge against Kubo over the 65-yen CD taken from the company supplies. A theft conviction can result in a 10-year prison term or a fine of up to 500,000 yen.