Some 12.6 million cases of personal information leakage were confirmed or suspected in Japan last year due to cyberattacks against companies and other entities, a Kyodo News survey showed Monday, meaning roughly one in 10 people face the possibility of a data leak.
The figure marked a sixfold increase from the 2.07 million cases in 2015, with a massive personal data leak incident involving Japanese travel agency JTB Corp. owing much to the rise. The tally also showed that credit card information is often targeted.
The tally is based on incidents that were made public last year, but an information security expert said it may represent “just the tip of the iceberg” partly because some companies may opt not to announce data leak cases amid fears of losing customer confidence.
According to the survey, entities that suffered the cyberattacks involved 65 private companies and related entities, 17 administrative bodies and 11 schools.
The largest data leak incident was that of JTB, which said last June that personal information on some 6.79 million people, such as customer names and passport numbers, may have leaked.
The second- and third-biggest data leaks were seen from IT firm Piped Bits Co. and radio station company J-Wave Inc., which had involved 980,000 and 640,000 customers’ information, respectively.
Cosmetics maker Shiseido Co. also announced in December that personal information on about 420,000 customers leaked, which included credit card information on up to around 66,000 people.
According to the Japan Consumer Credit Association, the total amount of damages stemming from unauthorized use of credit cards reached 10.6 billion yen ($94 million) between January and September last year, up 25.2 percent from the same period a year earlier.
The association attributed the rise of figure to “fraudulent use” of credit card numbers possibly linked to cyberattacks.
Stolen credit card information is known to be traded illegally online and used to purchase items through mail order. Money can be raised by selling the items.
Harumichi Yuasa, a professor at the Institute of Information Security, said some organizations may not notice that their computer systems were hacked and others may refrain from announcing data leakage even if they notice that they suffered cyberattacks.
“The (latest) figure may just be the tip of the iceberg,” he said, while calling for thorough information management by companies and administrative bodies.
In some cases announced last year, the details were largely unknown. The Japan Business Federation, or Keidanren, admitted that some information may have leaked, but an official of the lobby said it was not clear “what kind of information leaked and to what extent.”
Of the total 93 entities attacked last year, the largest group of 43 said hackers targeted the vulnerable points of their security systems, while 22 had their passwords scanned and 19 were sent computer virus via e-mails.
The remaining nine did not know, or did not disclose, how they were attacked.