Offices of multiple Japanese agencies were breached via Fujitsu’s “ProjectWEB” information sharing tool. Fujitsu states that attackers gained unauthorized access to projects that used ProjectWEB, and stole some customer data. It is not yet clear if this breach occurred because of a vulnerability exploit, or a targeted supply-chain attack, and an investigation is ongoing.
<p>Recent amendments to Japan’s APPI (Act on Protection of Personal Information) privacy law bring, among other things, mandatory data breach notification and thereby convincingly demonstrate that the government of Japan takes cybersecurity seriously. The Fujitsu’s incident resembles the SolarWinds one in the US and will probably have similar consequences including enhanced cybersecurity regulations, comprehensive due diligence of governmental contractors akin to the DoD’s CMMC in the US, and likely additional funding for national cybersecurity. Surging supply chain attacks of national amplitude and multi-billion losses will probably trigger similar consequences around the globe. Spending more, however, does not mean spending wiser. Legislators and regulators should thus consider a consistent, holistic, multistakeholder and long-term oriented cybersecurity strategy as a key factor for regulated organizations to prevent cyber attacks and reduce data breaches. Ad hoc or unstructured approach does not work anymore.</p>