Fujitsu hack leaves critical questions unanswered after discovery of malware on IT systems

 general view of sign outside a Fujitsu office on January 15, 2024 in Warrington, United Kingdom
(Image credit: Getty Images)

Fujitsu has revealed hackers may have stolen personal data following a cyber attack on the company. 

The Japanese tech giant said an investigation by security teams discovered malware on “several” company systems, with compromised files containing personal information and customer details that could have been exfiltrated by threat actors.

"After confirming the presence of malware, we immediately disconnected the affected business computers and took measures such as strengthening monitoring of other business computers,” the firm said in a statement.

Fujitsu said it’s continuing to investigate how the incident unfolded and whether information has been leaked. It hasn't revealed any details of the stolen data, but noted it hasn't had any reports that personal information has been misused.

Customers potentially affected by the breach will be informed, the company confirmed. Fujitsu has also reported the incident to Japan’s data protection authority, the Personal Information Protection Commission.

Some Fujitsu hack details remain unanswered

Fujitsu is yet to provide additional details on when the intrusion took place, how long attackers had access to internal systems, and what type of malware was used. 

This, according to Adam Pilton, cyber security consultant at CyberSmart, raises serious concerns over the potential scale of the incident. The tech company has previously been embroiled in data protection-related controversy, with regulators in Japan questioning standards last year.

"If we cast our minds back to July 2023, we saw the Japanese Ministry of Internal Affairs and Communications publicly criticizing Fujitsu and calling out their poor governance, demanding that they do better in future," he said .

"It would not be fair to critique Fujitsu just yet, as we do not know all the details. However, it is fair to say that Fujitsu's reputation is at stake, as is their contract with the Japanese government."

This is just the latest in a series of embarrassments for the company in recent years.

In May 2021, its ProjectWEB SaaS platform for enterprise collaboration and file-sharing was exploited, allowing the attackers to breach the offices of multiple Japanese government agencies.

RELATED WEBINAR

More than 76,000 email addresses were stolen, along with proprietary data relating to its equipment systems, staff business email addresses, and information on its business relationships.

Last summer, it was rebuked by Japan’s Ministry of Internal Affairs and Communications for a security failing that led to a breach of its cloud service Fenics, used by government and large corporate customers.

Earlier this year, the firm was criticized for having knowingly supplied British sub-postmasters with faulty software that led to hundreds being wrongfully prosecuted for false accounting.

"Becoming a victim of a cyber attack does not always have obvious and immediate consequences, such as operational downtime or upfront financial costs," Pilton said.

"Reputational damage and the loss of business are also factors that must be considered as these will be felt over the longer term."

TOPICS
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.