Fujitsu failed to keep customers’ sensitive information secure. AWS keys and passwords were publicly published on the Internet for a year. Dutch water utility PWN is one of the victims.
Security researcher Jelle Ursem, who works for the Dutch Institute for Vulnerability Disclosure (DIVD), discovered the data breach. No break-in work was involved in the discovery. Sensitive customer information was stored in a publicly accessible Microsoft Azure storage bucket.
Items stored in the bucket included AWS keys and simply readable passwords. It, in fact, contained a file where strong passwords generated by password manager LastPass were copied. Furthermore, full email conversations could be tracked and the bucket contained personal information about teams Fujitsu worked with.
Unclear reporting system
In the spring of 2023, Fujitsu removed the sensitive information from the public repository. Ursem says reporting the data breach took a lot of perseverance. The company would not have a clear protocol for such security notifications. As a result, Ursem had to fall back on his personal contacts.
The security researcher says he further doubts Fujitsu’s security protocols. “This is not an indicator of a very good attitude toward the current state of their cyber security,” he told The Stack. With this statement, he refers to the high frequency of incidents the company faces.
This happened even this week. The Japanese branch reported falling victim to a cyber attack. In this, hackers allegedly installed malware on the computers, which allowed them to steal files. The files involved both internal information and customer data.
Important customer base
Fujitsu deals in many areas of IT, attracting a large and important customer base. Among the customer stories, we found testimonials from pharmaceutical company Pfizer, optician Specsavers and the university TU Delft. At this university, Fujitsu supports the construction of the supercomputer DelftBlue. In addition, many government agencies purchase services from the company.
The more important the customer base, the more attractive to hackers. In other words, robust security measures should not be lacking within Fujitsu. These measures alone cannot completely rule out a cyber attack.
The blunder Ursem discovered, however, arose from careless handling of personal customer data. To prevent this kind of blunders Ursem thinks customers may expect more from a company that provides services to government agencies. “How can you even fight against people exporting your LastPass safe and dumping it in a public bucket?”
Among the information found in the leaked data was information from PWN. The company supplies drinking water to more than 800,000 families, businesses and institutions in North Holland. It is not yet clear whether the data was misused.
Also read: Fujitsu halts production of PCs, notebooks and workstations in Europe