Update Regarding Unauthorized Access to Project Information Sharing Tool

Fujitsu Limited

Tokyo, December 9, 2021

Fujitsu today announced its latest findings and countermeasures regarding the unauthorized access to Fujitsu’s "ProjectWEB” tool announced earlier this year.

In response to the issues revealed during Fujitsu’s review into the incident, a dedicated CISO was appointed on October 1st of this year, and measures to prevent reoccurrence have been formulated under a new information security management and operation framework. Fujitsu Limited will introduce a new project information sharing tool that addresses the issues raised by this incident with robust information security measures including those in line with zero-trust practices and will be migrating project management tasks to the new tool. As a result of the review, it was decided to discontinue the use of the existing information sharing tool.

Regarding the incident, Fujitsu conducted a review considering all possibilities, including intrusion by exploiting vulnerabilities and malware infection of the terminals of operation administrators and general users. The internal review, which has already concluded, confirmed several types of potential vulnerabilities that a third party could exploit. One of these was used to illegitimately obtain legitimate IDs and passwords to make unauthorized access to ProjectWEB in such a way that it appeared like an authorized user was accessing the tool through normal channels of authentication and communication.

At present, the cause of this incident and our company's response are additionally being verified by a committee comprised of external experts. In addition, from an objective and technical perspective, Fujitsu is consulting with the National center of Incident readiness and Strategy for Cybersecurity (NISC) to confirm the appropriateness of the investigation into the cause of this incident and the confirmation of the extent of impact of the incident. Based on the results of the verification by the external committee and advice from Japan’s NISC and other relevant authorities, Fujitsu will summarize this matter at an appropriate time. Fujitsu will additionally respond to any issues pointed out regarding the new tool based on the results of future verification, improving security measures required in response to changes in technology and threat trends.