Notice Concerning Unauthorized Access to Nagoya Area Network

MHI Group has confirmed that its network system in Nagoya, Japan was accessed by an unauthorized third party. The incident was discovered on May 21 through detection of unauthorized external communication on a Group server in Nagoya, and an investigation was launched. On May 22, a check of the Nagoya region’s data communications led to identification of the hacked equipment, and the affected equipment was immediately blocked from the network. Analysis of communication records was begun, and a report of the incident was swiftly sent to parties concerned. An internal investigation confirmed that no leaks had occurred either of sensitive information or highly confidential technical information, or of important information relating to Group business affiliates.

We sincerely apologize for any concern or inconvenience this incident may have caused to our customers or parties concerned. We will continue to take all necessary steps to strengthen our information security measures and monitoring systems.

Overview of the Incident

1. Chronology

April 29 While working from home, an employee of a MHI Group company connected to an external network, rather than to the MHI in-house network, and used a social networking service (SNS). The employee unknowingly downloaded a virus-infected file received from a third party, and the employee’s company computer was infected.
May 7 The employee reported for work at the office and reconnected to the MHI in-house network.
May 18 The virus spread to other equipment through the MHI in-house network.
May 21 Unauthorized external access was detected, and an investigation was launched.
From May 22 The hacked equipment was identified and immediately blocked from the network. Analysis of communication records, etc. was begun.
From June 16 Packet information was analyzed, and decoding and a detailed investigation were started.
July 21 The detailed investigation of leaked information was completed.

2. Investigation Results

The virus-infected company computers and servers were identified and an investigation was undertaken. The results revealed that no sensitive information or highly confidential technical information of the Group had been leaked, nor had any important information relating to any of our affiliates. The unauthorized communication emanating from the hacked equipment had been encrypted, but analysis and decoding of the stored packet information enabled us to know what information had been leaked and what actions the perpetrator had taken.

The results revealed that the leaked information consisted mainly of personal data (names and email addresses) of employees, etc. using the MHI Group network, as well as server logs, communication packets, server setting information and other IT-related information.

3. Cause and Measures to Prevent Recurrence

The incident is attributable to social engineering in the form of misuse of social media, and for that reason we are making the details of this incident widely known throughout the company in order to call attention to and alert all employees.

We also believe that because, at the time the incident occurred, it was possible to connect a company mobile computer to an external network without going through the company’s in-house network, this led to the damage inflicted by the malicious social engineering. Following this incident, we have taken the step of making it possible, when connecting a company computer to an outside network, to proceed only by going through the in-house network (Virtual Private Network connection).

A conceivable reason why the scope of the hacking spread from the individual employee’s company computer to other equipment is because the privileged local accounts of several servers within the affected area used the identical password. (We believe malicious use of the privileged accounts enabled log-in to other equipment.) In response, we have changed the passwords of privileged local accounts so that no two are the same.

Going forward, we will further strengthen our internal monitoring systems and make every effort possible to prevent a recurrence of a data breach of this kind.

4. Response to Customers and Parties Concerned

From the time this incident came to light, we undertook our investigation while working closely with, and reporting swiftly to, our customers and parties concerned. We will continue to take all necessary measures and further strengthen our systems management.