Reuters reports the Japan pension system hacked, with millions of personally identifiable information (PII) leaked thanks to what appears to be the most common attack vector, a phishing attack:

Japan’s pension system has been hacked and more than a million cases of personal data leaked, authorities said on Monday, in an embarrassment that revived memories of a scandal that helped topple Prime Minister Shinzo Abe in his first term in office.

Japan Pension Service staff computers were improperly accessed by an external email virus, leading to the leak of some 1.25 million cases of personal data, the system’s president, Toichiro Mizushima, told a hastily called news conference.

He apologized for the leak, which he said involved combinations of names, identification numbers, birth dates and addresses.

The pension service was setting up a team to investigate the cause and prevent a recurrence, Mizushima said.

I have yet to read about the specifics, such as what actual malware was located, whether this was a zero-day attack, and other relevant items to better understand what transpired. It will be interesting to hear about Japan Pension’s security architecture to determine where it failed, if it actually failed or if there was some negligence involved.