Update Regarding Unauthorized Access to Project Information Sharing Tool
Tokyo, April 22, 2022
On March 28 of this year, Fujitsu received the report on the review and verification of this issue from the previously announced committee composed of external experts. Based on the key details of the case identified by the external committee, the external committee analyzed the causes surrounding this incident and proposed recommendations on measures to prevent recurrence as described in the attachment.
Fujitsu has appointed a dedicated CISO as of October 1, 2021 and has been formulating and implementing recurrence prevention measures under a new information security framework since the issue initially came to light. In addition, on April 1, 2022, Fujitsu has revised the CISO authority regulations to expand and clarify the scope of the CISO’s authority to promote company-wide information security measures. Based on the recommendations received from the external committee, Fujitsu will further improve and strengthen measures to prevent the recurrence of similar incidents, while striving to implement such measures as appropriate.
Fujitsu recognizes the need of improvement of its corporate culture pointed out by the external experts as a serious issue and will take fundamental and continuous efforts to regain the trust of customers and stakeholders affected by this issue as soon as possible.
- Stricter security measures and thorough management and supervision
Fujitsu has implemented measures to ensure the proper use of information systems, including the standardization of security frameworks for information systems provided by Fujitsu based on its security policies. Fujitsu has further implemented measures for the proper use of multi-factor authentication and information management and strengthened its security management through audits, monitoring, and corrective management of actual systems and measures by an organization directly reporting to the CISO.
- Enhanced response to security incidents
Fujitsu has established an emergency response system for large-scale incidents through the development of an incident response process under the leadership of the CISO, acceleration of incident response through continuous training, and constant verification of the appropriateness of security measures.
- Centralized management of internal IT systems and promotion of autonomous remediation of project departments
Fujitsu will further reinforce its present risk management by centralizing and visualizing IT system assets and information management. An organization directly reporting to the CISO will promote appropriate understanding of the current situation and autonomous correction in each project division by visualizing information audits and risk audit results.
- Strengthening education and review of systems to raise company-wide security awareness and literacy
In addition to strengthening existing regular company-wide training, Fujitsu will educate employees and raise their awareness by periodically disseminating information such as CISO notifications. Fujitsu will further improve the security literacy of organizations by transforming the “Security Meister certification system,” a system to discover and certify individual security skills, into a system to strengthen the cybersecurity capabilities of the entire organization.
- Improvement of external communication
To protect its customers, Fujitsu has formulated an external disclosure policy including policies regarding an appropriate timeline for information disclosure and the necessary amount of information to be provided to each stakeholder. Fujitsu will further strengthen its external communication through regular training.
In the course of an internal review of this incident, Fujitsu confirmed that it didn’t manage customer information in a proper manner. Accordingly, in September 2021, Fujitsu took disciplinary action against relevant executives and took measures to further strengthen company-wide information management to take all possible measures to prevent recurrence. Fujitsu regards this matter seriously and would again like to take the opportunity to express its sincere regret to all those involved for the great concern and inconvenience caused. Based on the lessons learned from this incident, Fujitsu will continue to engage in thorough communication with its stakeholders, including customers and related authorities, and make company-wide efforts to prevent a recurrence. In response to the incident, CEO Takahito Tokita and COO Hidenori Furuta voluntarily decided to return 10% of their monthly remuneration for one month.
Information security represents a critical element in its business, and Fujitsu will always strive to ensure and improve information security for customers through its products and services while delivering information security for the entire group in realization of its purpose: "to make the world more sustainable by building trust in society through innovation."
Comment from the Board of Directors
Fujitsu Limited’s Board of Directors has determined that, in view of the fact that the incident has caused considerable concern and inconvenience to our customers and other parties concerned, it is necessary to conduct not only an internal review, but also a fair review from an external, objective viewpoint.
Fujitsu’s Board of Directors will take the results of this review of the external committee with the utmost seriousness and formulate, as soon as possible, measures to prevent the occurrence of unauthorized access and other information security incidents, and a review of systems and processes to minimize the impact on stakeholders in the event of any future incident. The Board of Directors will also instruct the executive side to undertake the reforms to corporate culture recommended by the external committee, and appropriately monitor the effectiveness of these measures.
Fujitsu is the leading Japanese information and communication technology (ICT) company offering a full range of technology products, solutions and services. Approximately 126,000 Fujitsu people support customers in more than 100 countries. We use our experience and the power of ICT to shape the future of society with our customers. Fujitsu Limited (TSE:6702) reported consolidated revenues of 3.6 trillion yen (US$34 billion) for the fiscal year ended March 31, 2021. For more information, please see www.fujitsu.com.
Public and Investor Relations Division
Company: Fujitsu Limited
Date: 22 April, 2022
City: Tokyo, Japan
Company: Fujitsu Limited