Stolen ProjectWEB accounts caused Japanese government data breach

Fujitsu reports that the exploitation of the company’s ProjectWEB information sharing tool resulted in a data breach (May 2021) in an attempt to exfiltrate the accounts of legitimate users and gain access to proprietary data belonging to several Japanese government agencies.  

Fujitsu is a Japanese multinational technology company that employees over 126,000 employees in over 100 countries.  

During the cyber incident, the National Cyber Security Centre (NISC) of Japan, and the Ministries of Land, Infrastructure, Transport and Tourism disclosed that the threat actors managed to access to at least 76,000 email accounts. 

In response to news of the breach, the Cabinet Secretariat’s NISC urged government agencies and organisations responsible for critical infrastructure which use Fujitsu’s ProtectWEB tool to examine for signs of unauthorised access or data breaches.  

The company announced on 9th December 2021 that following an investigation of the breach, several security vulnerabilities that the threat actors may have used to access ProjectWEB accounts were detected.  

Furthermore, it was found during an internally conducted review that the threat actors gained illegitimate access by stealing the accounts belonging to legitimate users of ProjectWEB, enabling them to avoid detection. 

As detailed by Fujitsu, “One of these was used to illegitimately obtain legitimate IDs and passwords to make unauthorised access to ProjectWEB in such was that it appeared like an authorised user was accessing the tool through normal channels of authentication and communication.” 

Furthermore, “At present, the cause of this incident and out company’s response are additionally being verified by a committee comprised of external experts.” 

In response to the breach, ProjectWEB portal was shut down with plans to mitigate existing customers to a portal to be developed using zero-trust practices.  

Expressed by the company, “Fujitsu Limited will introduce a new project information sharing tool that addresses the issues raised by this incident with robust information security measures including those in line with zero-trust practices and will be migrating project management tasks to the new tool.”