The agency said the system that was hacked was not connected to its core network, which manages more sensitive data, including details of pension premium payments.
In the cyber-attack that began on May 8, Japan Pension Service employees opened files attached to e-mails that apparently contained viruses.
The employees’ computers were connected through a local area network.
Only authorized employees had access to personal information in the pension program. But employees were allowed to download data from the system to their own personal computers to ease their daily workload.
According to the agency’s in-house rules, employees are required to set passwords for such information kept on their personal computers.
But of the 1.25 million cases, about 550,000 were found without passwords.
Unbelievably terrible network design for working with personally identifiable information aka PII. Whoever developed and implemented this architecture, and enacted such an obviously convenience-minded policy needs to be fired.
The first rule when working with PII is to ensure it is completely separated and inaccessible from the internet. It should be on a standalone network connected to nothing – no inter-connectivity to the internet. There are methods for implementing strong security on an extranet-of-sorts, should some of this data need to be available via the internet. This was not the case for JPS – no data was required to be remotely accessible.
Unfathomable for a government agency that should know better.