E-mail addresses at the Japan Pension Service (JPS) that received e-mails carrying a virus were open to the public and had been used for equipment procurement, The Yomiuri Shimbun has learned.
The JPS announced Monday that staff computers were infected with the virus and that personal data of pension subscribers and others had been stolen in about 1.25 million cases.
According to the JPS, the title of the e-mails was the same as that of a document compiled by a Health, Labor and Welfare Ministry council. The JPS told The Yomiuri Shimbun that an attacker used open information and cleverly deceived members of its staff into opening the virus-laden e-mails.
The ministry plans to establish by the end of this week an investigation committee of outside experts to prevent the recurrence of a similar incident. After the committee summarizes the outcome of its probe, the ministry will discuss punishment of senior JPS officials.
Many e-mails with a file containing a virus were sent to the JPS from May 8 to 18, and two JPS staff members separately opened the file.
The virus-bearing e-mail was sent to the JPS Kyushu bloc headquarters in Fukuoka and the attached file was opened on May 8. Another e-mail with a virus file, which was opened by another staff member, was sent to the JPS headquarters in Suginami Ward, Tokyo.
Several dozen computers in Tokyo and Fukuoka are believed to have been affected by the unauthorized access.
The e-mail addresses that received the virus-bearing e-mails were meant to be used by companies that want to participate in open bidding conducted by JPS regional headquarters to procure equipment. The JPS staff involved in equipment procurement used the addresses, which were displayed on the JPS website.
The virus-carrying e-mail that was sent and opened on May 8 was titled, "Opinions over a review of corporate employees' pension fund system (draft)." The title reflects a corporate employees' pension fund system reform plan compiled by the ministry's council. The reform plan was drawn up following a scandal involving AIJ Investment Advisors Co. over missing pension funds, which surfaced in 2012.
This reform plan was carried on the ministry's website on February 2013.
The equipment procurement and the pension system reform are not directly linked. However, a senior JPS official said, "The staff members may have opened the e-mails because the corporate employees' pension plan is part of JPS operations."
The virus sent to the JPS was the same type of virus that was sent to major companies and other recipients in Japan in autumn, according to an information security company official.
In September and October last year, a virus-bearing e-mail titled "Notice about medical expense" was sent to major companies and the resulting virus infection led to the names and telephone numbers of clients being compromised. The same e-mail was sent to about 40 House of Representatives members and others. A group called "CloudyOmega" is believed to have been involved in those attacks.