Photo/Illutration The building where Mitsubishi Electric Corp.’s main office is located in Tokyo’s Chiyoda Ward (Takuya Tanabe)

A private business that plays a major role in operating Japan’s social infrastructure has succumbed to cyberattacks.

To draw lessons from the case and to brace for more attacks, concerned parties should rush to establish facts and to share information on the incident.

Mitsubishi Electric Corp. announced on Jan. 20 that the company’s computer network had fallen victim to unauthorized access. An in-house probe at the company showed that personal data on 8,000 or so individuals, including employees, retirees and job applicants, may have been stolen, and so may have business secrets that pertain to technology and sales, company officials said.

They explained, at the same time, that the company has confirmed none of its sensitive information on defense, electric, railway and other industries, and none of its key information on the company’s clients, have been stolen.

They said an anti-virus system the company was using had weaknesses, which the hackers exploited before a patch program for fixing them was released. It is believed that groups of cyberattackers with Chinese connections may have taken part in the breaches.

How to block cyberattacks, which are about stealing information or causing system malfunctions, has emerged as a major challenge in cyberspace, which spreads across national borders. Such attacks could compromise people’s lives and national security, and there is a limit to what businesses could do individually to prevent them.

Companies should therefore share information with relevant institutions and work out countermeasures. A lack of preparedness could hamper cooperation with other countries.

The government’s National Center of Incident Readiness and Strategy for Cybersecurity and the industry ministry have presented a variety of guidelines, which, however, failed to block the latest development. There should be nationwide efforts to take extensive countermeasures because a broad gamut of entities, including small and midsize businesses, could fall under more attacks in the future.

It is so significant that Mitsubishi Electric, whose business operations include providing cybersecurity systems, succumbed to the attacks itself. The hackers could use the data they stole during their latest offensive to open “supply chain attacks,” which could target clients and other connections of the initial target the next time.

In light of that viewpoint, questions remain about the way Mitsubishi Electric reacted after it succumbed to the attacks.

Officials have said the company first noticed in late June last year that something was wrong and notified the Defense Ministry’s Acquisition, Technology & Logistics Agency later that summer about the matter. However, only earlier this month, or more than six months following the attacks, did Mitsubishi Electric first inform the industry ministry, and the government’s Personal Information Protection Commission, of what had occurred.

And it was only after officially acknowledging the development, in the wake of The Asahi Shimbun’s report, that the company finally began notifying outside individuals whose information may have been stolen.

Given there was a need to prevent the spread of the attacks, the delayed notices were questionable, even though, admittedly, it must have taken time to grasp what had happened. That opinion is shared by industry minister Hiroshi Kajiyama, who has pointed out the matter should have been promptly reported.

Also, Mitsubishi Electric is a business entity that has acquired, and keeps, personal data and, as such, bears heavy responsibility for protecting it. The company should therefore have reacted more quickly.

Relevant institutions should review the latest development and call for necessary improvement measures.

--The Asahi Shimbun, Jan. 26