Behind the Hack: The BIPROGY USB Incident

Target: Although it’s unclear if there was a cyberattack or breach, the personal data of over 465,000 residents was put at risk by a negligent employee. 
Date of incident: June 28, 2022
 
Quick take: BIPROGY is a Japanese IT company that was hired by the government of Amagasaki (a city just to the northwest of Osaka) to collect tax data on its citizens. When a BIPROGY employee decided to copy the data of 465,177 citizens onto a USB drive without authorization, the company and its client quickly discovered just how dangerous poor data management can be. According to a recent report in Vice, the employee went out drinking, fell asleep on the side of the road, and awoke to discover that the bag containing the USB drive was missing. There was highly sensitive data on the drive, such as addresses, bank account numbers, and tax information. 
Why it matters: This story is hyper-relevant for cybersecurity professionals, company leaders, and employees. First, it demonstrates the vital importance of cybersecurity awareness – the BIPROGY employee should have known better than to put so much sensitive data on a personal device, especially considering the fact that he didn’t have clearance to do so. Physical device security is becoming more crucial all the time (now that remote work is here to stay and employees are traveling much more than they used to), and companies need to establish clear guidelines and authorization procedures to prevent employees from putting their data at risk. 
Companies also have to focus on cybersecurity across their partner ecosystem. As cybercriminals increasingly target the weak links of supply chains, it’s essential to minimize third-party risk by determining the cybersecurity posture of your partners. At a time when substantial majorities of consumers believe the risks of companies and governments collecting data about them outweigh the benefits, your cybersecurity and data management platforms have to be capable of preventing dangerous security lapses and inspiring trust. 
We’ve got a hack for that: Cybersecurity professionals will find NINJIO content that covers every aspect of the BIPROGY incident: from episodes about physical device security (such as “Let’s Get Physical” from April 2020) to our upcoming report on supply chain cybersecurity, which discusses third-party cyber-risk. Our episodes help companies establish healthy cybersecurity habits among employees (i.e., not taking a large trove of extremely sensitive personal data home with you and leaving it on the side of the road). 
The companies in the strongest position to respond to rapidly evolving and increasingly destructive cyberattacks are the ones that establish a culture of cybersecurity. Take a look at our episodes “Whole Sum” (May 2022) and “See Something, Do Something” (July 2021) to learn how employees at every level of the company can be empowered to identify and prevent cyberattacks, report suspicious activity, and keep your data safe.