Japanese manufacturer Murata apologizes for data breach

A subcontractor downloaded a database with sensitive bank account information from employees and business partners of the company.

An official with Japanese electronic components manufacturer Murata has released an apology for the leak of thousands of files in June that contained bank account information for employees and business partners of the company.

Norio Nakajima, CEO of Murata Manufacturing, released a statement apologizing for an incident on June 28 when a subcontractor downloaded a project management data file containing 72 460 pieces of information. 

More than 30,000 documents contained business partner information like company name, address, associated names, phone numbers, email addresses and bank account numbers. The companies are based in Japan, China, the Philippines, Malaysia, Singapore, the US and the EU, but the enterprises "subject to customer information are only China and the Philippines."

Over 41,00 documents about employees were in the leak as well, similarly containing names, addresses and bank account numbers. The employees were based in the company's offices in Japan, China, the Philippines, Singapore, the US and the EU.

"On July 20, 2021, it was confirmed that an employee downloaded the project management data including our business partner information and personal information to a business computer without permission and uploaded it to the personal account of an external cloud service in China," Nakajima said in a statement, adding that there is evidence that no one other than the subcontractor accessed the data.

"In addition, we have received reports from a survey of external cloud service providers that it was confirmed that the information taken out was never copied or downloaded by a third party. The uploaded data has already been deleted from the business PC and external cloud storage service. No virus infection or cyberattack has been confirmed in this matter."

Nakajima goes on to explain that the unnamed subcontractor was involved in the company's accounting system update project.

The notice included a timeline that tracked the incident from its inception on June 28 through its verification in August. Two days after the subcontractor downloaded the files, the company got a security alert, and by July 4, their security team had confirmed what happened. 

The company said it interviewed the subcontractor on July 8, who admitted to downloading the information and then uploading it to a private cloud account. 

"On the same day, the uploaded data was deleted under the supervision of the subcontractor," Nakajima said. 

By August, the company internally confirmed what happened and had an outside security firm also take a look at the situation. 

Japanese news outlet ITMedia spoke to the subcontractor, who said, "I was uploading my know-how to a personal cloud and organizing it in order to learn system design, etc. It happened to contain sensitive information about customers."

A Japanese blog confirmed that the subcontractor was an engineer for IBM Dalian Global Delivery, a subcontractor of IBM China. Murata's accounting system update project was outsourced to IBM Japan, which subcontracted it to IBM China. The system is used to pay both employees and partners. 

Murata told ITMedia that it was considering cancelling the contract and potentially seeking damages. 

Murata dominates the research, production and sale of electronic devices made from fine ceramics. With over 70 000 employees, it plans to bring in more than $2 billion this year.