Update Regarding Unauthorized Access to Project Information Sharing Tool

Fujitsu Limited

Tokyo, April 22, 2022

On March 28 of this year, Fujitsu received the report on the review and verification of this issue from the previously announced committee composed of external experts. Based on the key details of the case identified by the external committee, the external committee analyzed the causes surrounding this incident and proposed recommendations on measures to prevent recurrence as described in the attachment.

Fujitsu has appointed a dedicated CISO as of October 1, 2021 and has been formulating and implementing recurrence prevention measures under a new information security framework since the issue initially came to light. In addition, on April 1, 2022, Fujitsu has revised the CISO authority regulations to expand and clarify the scope of the CISO’s authority to promote company-wide information security measures. Based on the recommendations received from the external committee, Fujitsu will further improve and strengthen measures to prevent the recurrence of similar incidents, while striving to implement such measures as appropriate.
Fujitsu recognizes the need of improvement of its corporate culture pointed out by the external experts as a serious issue and will take fundamental and continuous efforts to regain the trust of customers and stakeholders affected by this issue as soon as possible.

1. Stricter security measures and thorough management and supervision
   Fujitsu has implemented measures to ensure the proper use of information systems, including the standardization of security frameworks for information systems provided by Fujitsu based on its security policies. Fujitsu has further implemented measures for the proper use of multi-factor authentication and information management and strengthened its security management through audits, monitoring, and corrective management of actual systems and measures by an organization directly reporting to the CISO.
2. Enhanced response to security incidents
   Fujitsu has established an emergency response system for large-scale incidents through the development of an incident response process under the leadership of the CISO, acceleration of incident response through continuous training, and constant verification of the appropriateness of security measures.
3. Centralized management of internal IT systems and promotion of autonomous remediation of project departments
   Fujitsu will further reinforce its present risk management by centralizing and visualizing IT system assets and information management. An organization directly reporting to the CISO will promote appropriate understanding of the current situation and autonomous correction in each project division by visualizing information audits and risk audit results.
4. Strengthening education and review of systems to raise company-wide security awareness and literacy
   In addition to strengthening existing regular company-wide training, Fujitsu will educate employees and raise their awareness by periodically disseminating information such as CISO notifications. Fujitsu will further improve the security literacy of organizations by transforming the “Security Meister certification system,” a system to discover and certify individual security skills, into a system to strengthen the cybersecurity capabilities of the entire organization.
5. Improvement of external communication
   To protect its customers, Fujitsu has formulated an external disclosure policy including policies regarding an appropriate timeline for information disclosure and the necessary amount of information to be provided to each stakeholder. Fujitsu will further strengthen its external communication through regular training.

In the course of an internal review of this incident, Fujitsu confirmed that it didn’t manage customer information in a proper manner. Accordingly, in September 2021, Fujitsu took disciplinary action against relevant executives and took measures to further strengthen company-wide information management to take all possible measures to prevent recurrence. Fujitsu regards this matter seriously and would again like to take the opportunity to express its sincere regret to all those involved for the great concern and inconvenience caused. Based on the lessons learned from this incident, Fujitsu will continue to engage in thorough communication with its stakeholders, including customers and related authorities, and make company-wide efforts to prevent a recurrence. In response to the incident, CEO Takahito Tokita and COO Hidenori Furuta voluntarily decided to return 10% of their monthly remuneration for one month.

Information security represents a critical element in its business, and Fujitsu will always strive to ensure and improve information security for customers through its products and services while delivering information security for the entire group in realization of its purpose: "to make the world more sustainable by building trust in society through innovation."

Comment from the Board of Directors

Fujitsu Limited’s Board of Directors has determined that, in view of the fact that the incident has caused considerable concern and inconvenience to our customers and other parties concerned, it is necessary to conduct not only an internal review, but also a fair review from an external, objective viewpoint.

Fujitsu’s Board of Directors will take the results of this review of the external committee with the utmost seriousness and formulate, as soon as possible, measures to prevent the occurrence of unauthorized access and other information security incidents, and a review of systems and processes to minimize the impact on stakeholders in the event of any future incident. The Board of Directors will also instruct the executive side to undertake the reforms to corporate culture recommended by the external committee, and appropriately monitor the effectiveness of these measures.

Attachment

• Matters pointed out by the external committee (66.88KB)