The former Mitsubishi UFJ Securities Co. employee suspected of having sold personal data on more than 49,000 clients is believed to have accessed the firm's client database using his colleague's ID and password, sources said Thursday.
The Metropolitan Police Department suspects the former employee, 44, used another employee's ID and password to conceal his actions. Before he was dismissed Wednesday, the man was deputy head of the computer system department at the securities firm in Chiyoda Ward, Tokyo.
The MPD plans to start investigating the case as soon as the firm files a criminal complaint against the former employee, believing the man's actions violate the Unauthorized Computer Access Law. According to the brokerage, a total of eight employees, including the deputy chief, were entitled to access the firm's database.
The deputy chief is believed to have somehow acquired the details of the ID and password of another employee who was authorized to use the database, the MPD said. Using this information, he allegedly accessed the database several times between Jan. 26 and Feb. 4 and succeeded in withdrawing the clients' personal data. The man allegedly copied data on 1,486,651 clients onto a CD-R. He then allegedly e-mailed data on 49,159 clients via his personal computer at home to three personal data list dealers in mid-February and received 328,000 yen in return.
In mid-March, the brokerage launched an investigation after receiving complaints from customers. Because the deputy chief admitted what he had done, the firm is currently preparing to file a criminal complaint against the man with the MPD. According to senior investigators, when people take data on clients with them on another storage device, this act itself is not considered to constitute theft.
In the latest case, investigators found out that the deputy chief already handed over the CD-R in question to the company. It will therefore be difficult to charge the former employee with theft because the security firm did not lose any property.
Under the law regulating illegal access to information via computer networks, it is not considered illegal for an individual with the right to access certain information to take this information with them in another form. However, it bans individuals accessing such information using somebody else's ID or other personal data without permission.
Those who violate the law can be imprisoned for up to one year or fined up to 500,000 yen.
Source