Multinational IT giant Fujitsu said it has been the victim of a malware attack that may have resulted in threat actors exfiltrating personal data and private customer information.
Fujitsu said it is conducting a forensic investigation to find out if information has been exposed. Fujitsu did not identify the nature of the attack nor provide any clues to who might be behind the infiltration. It also did not identify the malware used in the attack.
“We confirmed the presence of malware on multiple work computers at our company, and as a result of an internal investigation, we discovered that files containing personal information and customer information could be illegally taken out,” Fujitsu said in a notification posted on its website, as translated from Japanese.
However, there is likely more to the incident than Fujitsu has disclosed so far.
Private Information Left Unprotected?
According to The Stack, a U.K.-based publication, Fujitsu is said to have left unprotected some private AWS keys, client data and plain text passwords for upwards of a year, based on a report from a security researcher with the Dutch Institute for Vulnerability Disclosure.
The researcher, Jelle Ursem, told The Stack that the company unknowingly exposed a public Microsoft Azure storage bucket that included backup emails with sensitive data, passwords pulled from password manager LastPass and “scores” of Microsoft One Note files.
Such information is coveted by cyber actors for its value on underground, dark markets.
According to the report, which appears not to have been confirmed as yet by other researchers, Ursem tried to report his findings to Fujitsu but was met with corporate red tape.
Fujitsu's Incident Response
In the wake of the attack, Fujitsu said it disconnected the affected systems from its network and “took other measures such as strengthening monitoring of other business computers.” The company did not identify which data may have been stolen or if it belonged to personnel inside the company, third-party suppliers or customers.
Fujitsu further said that it has reported the event to Japan’s data protection agency, the Personal Protection Commission.
“In addition to reporting individually to the affected individuals and customers, we have also reported to the Personal Information Protection Commission in anticipation of the possibility that personal information may have been leaked,” the company said. “To date, we have not received any reports that personal information or information about our customers has been misused.”
It’s not known if Fujitsu has filed required data breach information with any other regulatory body, including U.S. authorities.
Ilia Sotnikov, a security strategist and vice president of user experience with Netwrix, a data security and compliance company, provided perspective on Fujitsu's approach to information disclosure following the incident.
"The decision about when and how much to disclose often depends on the organization's culture. Some organizations wait to be certain about the scope and the details of the incident before they report anything to avoid any misinterpretations," he said.
"Others, like Fujitsu, take a more proactive approach and inform potentially impacted customers that there may be a risk of misuse of their personal information," Sotnikov said. "Increasingly tighter breach notification rules we see in various jurisdictions aim to encourage companies to share the information early so that both authorities as well as any impacted parties are aware sooner and can make their own risk-based decisions.”
The cybersecurity event is the second time Fujitsu has been hacked in the last three years. In May 2021, a break-in into a number of Japanese government networks yielded hackers exploiting the company’s ProjectWEB information-sharing technology some 76,000 email addresses and confidential information.
Fujitsu has approximately 124,000 employees and sells to customers in some 50 countries and regions. Its client lineup includes government agencies and major corporations. At last count, the 89-year-old company has sales of $25 billion in fiscal 2023.