University private info left open to public access

JAPAN - Personal information on students and other university members, which is read by and stored in all-in-one machines at the University of Tokyo and two other universities, was left accessible to the public via the Internet, it has been learned.

The documents whose data was stored in multifunction machines-which can function as a printer, copier, fax machine and scanner-included residence certificates, examination papers and a scholarship application form, according to Yomiuri Shimbun research.

A total of 264 people, mostly university students, have been affected by the case.

Most all-in-one machines currently marketed by electronics manufacturers are designed for online connection. Data stored in such equipment can be accessed and browsed from outside if their default settings are kept intact. "We didn't know such a mechanism existed," a university official said.

"Electronics makers have made rapid progress in expanding the versatility of photocopiers, but they are barely aware of the importance of information security. They should adequately tell users there's an increasing danger [involved in using multifunction machines] due to a growing number of malicious attackers now," said Prof. Seiichi Shin, an information security expert at the University of Electro-Communications.

The institutions affected by the case are the Institute of Medical Science at the University of Tokyo, Tohoku University and the University of the Ryukyus. They use multifunction machines produced by Ricoh Co., Fuji Xerox Co. and Sharp Corp.

At the Institute of Medical Science, personal information on about 120 persons was left open to public access. The data included questionnaires completed by nurses at the institute's affiliated hospital about nursing care for hemophiliacs, as well as the names of participants in training sessions. It also included the results of examinations taken by students at Toho University and marked by a researcher from the institute who taught them as a part-time instructor.

Personal information on about 20 students and others who belonged to a Tohoku University laboratory was also left accessible. The documents affected included driver's licenses, residence certificates and interview sheets prepared after medical checkups. Even a scholarship application form was included. The form contained the name of the student, his mobile phone number and his parents' employment.

At the University of the Ryukyus, answer sheets collected from 95 students who sat for term-end examinations in January and February were left visible. The data included their names, answers and scores.

The University of Tokyo and the University of the Ryukyus told the Yomiuri that they were still investigating the affair. Meanwhile, Tohoku University declined to comment.

Accessibility to personal information stored in multifunction machines is not limited to the three universities. At a law firm in the Tokyo metropolitan area, a copy of a summons faxed from the Utsunomiya District Court was left accessible, making it possible to look at such data as the names of litigants in a lawsuit filed to demand the return of money paid in excess of a borrower's due interests.

Most multifunction machines are designed for online connection. Their default settings do not include IDs and passwords, meaning that anyone can look at data that may be read by and stored in such machines. Such access can be prevented if an all-in-one machine's configurations include a setting for the use of firewalls.

Last year, the three electronics manufactures became aware of the problem. But all they did was post a warning on their websites. They made little progress in passing on such warnings to individual customers who bought their products. The three corporations told the Yomiuri that they would not comment on individual cases.