2015/08/23

年金情報流出 危機感の欠如が被害を広げた

The Yomiuri Shimbun
Low security consciousness at JPS exacerbated pension data breach
年金情報流出 危機感の欠如が被害を広げた

The Japan Pension Service can hardly be regarded as an organization properly handling a massive amount of personal information. Its sloppy information management must be corrected urgently.
 膨大な個人情報を扱う組織とは思えない。ずさんな情報管理体制を改めることが急務である。

An in-house investigation committee at the JPS and a third-party panel at the Health, Labor and Welfare Ministry have released, separately, reports on the findings of each of their investigations into an incident in which 1.25 million cases of personal information, including the basic pension numbers of pension recipients, were compromised at the JPS.
 日本年金機構から受給者の基礎年金番号など125万件の個人情報が流出した問題で、機構の内部調査委員会と厚生労働省の検証委員会が、それぞれ報告書を公表した。

According to the JPS report, the organization received a total of 124 targeted e-mails carrying a virus from May 8 to 20. File attachments of five of the e-mails were opened, causing 31 personal computers to be infected with the virus and information to be compromised within three days from May 21.
 機構の報告書によると、5月8~20日にウイルスを仕込んだ「標的型メール」計124通を受信した。うち5通の添付ファイルなどを職員が開いてパソコン31台がウイルス感染し、21日から3日間で一気に情報が流出した。

There were several opportunities during that period for the JPS to prevent the damage from spreading.
 この間、機構が被害を食い止める機会は何度もあった。

However, the organization failed to block further e-mails from the address used for the first problematic e-mail following its receipt. It did not confirm properly from mail recipients whether they had opened attachments, and delayed action to cut off Internet connections for the entire JPS computer system.
 だが、最初のメール受信後に送信元アドレスの受信拒否設定をしなかった。メール受信者に添付ファイル開封の有無をきちんと確認せず、機構全体のインターネット接続を遮断する措置も遅れた。

JPS President Toichiro Mizushima said during a news conference Thursday, “I thought we had confirmed whether the attachment had been opened.” The comment is one indication of the lenient attitude within JPS of leaving everything to those in charge. It was natural for the report to say that “a sense of crisis was lacking.”
 機構の水島藤一郎理事長は記者会見で、「開封したかどうかの確認は行われていると思っていた」と釈明した。担当者任せの甘い対応ぶりがうかがえる。報告書が「危機感が十分ではなかった」としたのはもっともだ。

It is also problematic that sloppy information management has become everyday practice at the JPS.
 ずさんな情報管理が常態化していたことも問題である。

Personal information was permitted to be stored in an Internet-connected shared file server when deemed necessary. It can thus be said that the JPS faced a constant danger of the unauthorized exposure of information.
 必要があれば、インターネットに接続された共有ファイルサーバーへの個人情報の保存を認められていた。常に情報流出の危険にさらされていたと言える。

Absence of systematic checks

Rules such as setting passwords were not observed and the JPS did not have a system in place to check what was going on.
 パスワードの設定といったルールが守られず、機構が実態をチェックする仕組みもなかった。

The report identified that long-standing problems — carried over from the era of the JPS’s predecessor, the Social Insurance Agency — including a lack of unity as an organization, underlie the data breach. At the now defunct SIA, a lack of control was caused by a three-tier structure for employees, including those recruited by the SIA’s central and local offices. This led to a number of scandals, including a huge blunder with pension record-keeping.
 報告書は、組織の一体感の不足など、旧社会保険庁からの「積年の問題」が根底にあると分析した。旧社保庁では、本庁と地方など採用の異なる職員の「3層構造」が統制の欠如を招き、年金記録漏れなどの不祥事につながった。

Such an organizational culture likely remains pervasive within the JPS. A sweeping organizational reform is called for, in addition to the bolstering of information management systems.
 悪あしき体質が残っているのだろう。情報管理体制の強化に加え、組織の抜本改革が求められる。

The welfare ministry’s responsibility is also grave in this regard.
 厚労省の責任も重大である。

According to the report released by the ministry’s third-party investigation panel, adequate supervision could not be provided because it was not clear which department at the ministry was in charge of the JPS’s information systems.
 検証委員会の報告書によると、機構の情報システムに関する厚労省の担当部署が不明確で、適切な指揮監督ができなかった。

Despite the fact that the JPS had suffered a similar cyber-attack in April, before it received the targeted e-mail in May, the ministry provided no information on the incident nor did it issue an alert.
 機構が標的型メールを受信する前の4月に、類似の攻撃を受けていたにもかかわらず、情報提供や注意喚起を行わなかった。

It was natural for welfare minister Yasuhisa Shiozaki to say, “Both the JPS and the ministry must take responsibility [for the incident].” It is necessary to ensure that a recurrence of similar incidents is robustly prevented, and that work proceeds toward restoring confidence in the pension system.
 塩崎厚労相が「けじめは機構も厚労省もつけなければいけない」と述べたのは当然だ。再発防止を徹底し、年金制度への信頼回復に努める必要がある。

Joint efforts by private and public sectors are sought to deal with cyber-attacks, which are becoming more ingenious and shrewd.
 巧妙さを増すサイバー攻撃に対し、官民で対策を強化したい。

(From The Yomiuri Shimbun, Aug. 22, 2015)

0 件のコメント:

コメントを投稿