Who’s Who?
Murata Manufacturing, established in 1944, is a worldwide leader in the design, manufacture and sale of ceramic-based passive electronic components and solutions, communication modules and power supply modules. Many big tech companies are long-term customers, such as Samsung Electronics and Apple Inc. The company’s head office is located in Tokyo, Japan, but Murata has employees, offices and partners throughout the world. These include major sales and engineering hubs in at least 10 US cities, and many affiliates throughout Europe and Asia. The subcontractor involved in the incident, IBM Dalian Global Delivery, is actually a subcontractor of IBM Japan. Murata outsourced the transition from one accounting system to another to IBM Japan, who then subcontracted it to IBM Dalian Global Delivery.
Brazen Download of Sensitive Information
What happened sounds nothing less than a brazen download of sensitive information. In a statement released earlier this week (statement currently unavailable online), Norio Nakajima, CEO of Murata Manufacturing, explained the course of events.
On June 28, an employee of IBM Dalian Global Delivery downloaded a large file with project management data to his computer. Unknown to him, this immediately triggered a security alert in the company’s internal monitoring system. A couple of days later, an internal investigation confirmed that the employee had indeed downloaded a large file and that this file contained business partner information as well as people’s personal information. During an interview with the employee on July 8, the investigation team found out that the employee not only downloaded the information to his computer, but also uploaded it to a personal account on an external cloud service. And that their server is based in China.
Consequently, the external contractor reported the data breach to Murata. Fortunately, an external cloud service provider was able to confirm that the information hadn’t left the cloud server and that there were no signs of a third party having copied or downloaded the information.
What did the Employee Steal?
In total, the employee managed to download 72,460 pieces of information. More than 30,000 documents containing business partner information, such as company names, addresses, personal names, telephone numbers, email addresses, and bank accounts. The companies concerned are based Japan, China, Philippines, Malaysia, Singapore, the US and the EU. Close to 42,000 documents relating to Murata employees in Japan, China, Philippines, Singapore, USA and the EU were also stolen. These contained similar information to the business partner information, including people’s names, addresses, email addresses and bank accounts. “The Murata Group takes this incident seriously and will investigate the cause so that a similar situation does not occur again”, said Norio Nakajima. “The Group will also strengthen security and thoroughly manage information, including at external contractors.”
It Was Just An Accident…
The man told IT Media that he did not intentionally download sensitive information. According to the subcontractor, he only saved the data files to his device to familiarize himself with the project. He said he did not realize that the folders contained personal data on employees and sensitive business information. Over the last few years, there have been a growing number of reports relating to data breaches involving employees. Between 2018 and 2020, Google fired dozens of employees over data misuse. In 2020, Shopify faced a significant security breach caused by two rogue employees. In the same year, a Microsoft staff member stole over 10 million dollars from the company. Murata confirmed that all information has been removed from the subcontractor’s computer as well as from the China-based cloud server. So far, no virus infections or cyberattacks related to the incident have been identified. The statement did not reveal whether Murata is potentially seeking damages.