Fujitsu's efforts to strengthen information security measures and system quality in Japan
Tokyo, Japan, May 19, 2023
We would like to take this opportunity to express our regret on behalf of the Fujitsu Group for recent incidents in Japan that have caused concern and inconvenience to our customers and other parties, and to reiterate our commitment to addressing security incidents and system quality issues with robust and comprehensive measures.
In 2021, we detected unauthorized access to ProjectWEB, a project information sharing tool used in Japan, and in 2022, we discovered information security incidents at FJcloud-V/Nifkura, FENICS Internet Service, and other cloud services. A series of issues related to the Fujitsu MICJET convenience store system have also undermined the ’residents’ confidence in the administrative services that they can access at convenience stores in Japan. Fujitsu is currently engaged in a thorough review of this system in close cooperation with local governments under the guidance of Japan’s Digital Agency and Ministry of Internal Affairs and Communications, as well as other relevant organizations to prevent a recurrence.
As a company responsible for systems that play an important role in Japanese society, the Fujitsu Group takes these incidents very seriously, and the entire company will promote the following measures to ensure more robust information security and further improve system quality.
I. Strengthening the Organization
Fujitsu has taken seriously the recommendations of the third-party verification committee established to deal with cases of unauthorized access to ProjectWEB and has worked on a company-wide basis to formulate and implement prevention measures as well as to improve corporate culture. Based on the initiatives taken to date, we have decided to newly appoint a Chief Quality Officer (CQO) as the person responsible for quality for the entire group, as we believe that company-wide and cross-organizational measures led by top management are more essential than ever to further strengthen measures and ensure effectiveness. Furthermore, we will enhance the structure and functions of our company Risk Compliance Committee, chaired by the CEO, and strengthen this framework to ensure constant and thorough company-wide responses.
Specifically, the CQO will be newly added to the members of this committee, which has been the venue for deliberations on important risk compliance issues related to the Fujitsu group. A framework will be established in which concrete measures are determined and promptly implemented, including company-wide measures related to information security and system quality as well as responses to individual events. By establishing such a framework, we will be able to thoroughly implement risk management led by the CEO, which assigns more strengthened authority than ever to CISO and CQO to supervise the process, including different CxO areas such as personnel systems and investment resources. Additionally, to ensure the rapid and effective implementation of measures the Committee will be held every month.
II. Strengthening information security measures
In response to the information security incident involving the project information sharing tool "ProjectWEB" and the cloud service "FJcloud-V/Nifkura," we have been working on horizontal development of measures to prevent recurrence. In the case of ProjectWEB we received recommendations from the verification committee to prevent a recurrence, and in fiscal 2022, we took a variety of preventive measures. For example, we adopted a rule to require multi-factor authentication for all internet systems and completed this measure in December 2022. In November of the same year, we visualized security risks through company-wide security checks.
However, there were some projects that did not have sufficient inspection contents because they were inspected before the vulnerability detection system was established. As a result, unauthorized access to the Internet service "FENICS" was not immediately noticed, and the situation grew worse.
Based on this, we will develop a mechanism to detect vulnerabilities and take appropriate measures by visualizing and understanding security risks in a highly objective manner.
a. Highly objective risk assessment and response
(development of framework to detect vulnerabilities)
To detect vulnerabilities, it is necessary to manage all IT assets, and we have introduced a framework to do so by scanning potential vulnerabilities of managed IT assets and collating this data as part of a comprehensive audit. As IT assets are growing rapidly, however, it is necessary to also better understand assets that are out of scope for management, such as pre-registration assets. For this reason, we have introduced a system to identify accessible assets that are open to the public on the Internet from the same perspective as potential attackers. Regarding the former framework, we completed the audit and registration of IT assets in Japan during fiscal 2022 and started vulnerability scanning and matching in fiscal 2023. As for the latter class of IT assets, we have already established a dedicated team to address this area, which is starting global operations in fiscal 2023.
Also, management of IT assets visualized by these mechanisms, along with a “Centralization of Authority Concerning Security Controls,” will be promptly addressed.
b. Centralization of security control authority
In April 2022, we granted the CISO the authority to suspend system operations from the viewpoint of information security. In addition, from FY 2023, the CISO will place the budget for on-site security controls under its discretion to improve the speed of security responses and control accuracy.
c. Strengthening the security of field organizations
In fiscal 2022, we redefined the role of security personnel, particularly those responsible for on-site security, and reviewed our professional certification system. After clarifying the roles and responsibilities of on-site security officers, we reviewed the compensation system and strengthened the security framework of on-site organizations in Japan in advance of January 2023.
To provide a deeper understanding of the specific initiatives of the entire company, including the content described above, we plan to create contents that over a review of past incidents and summarizes specific causes and recurrence prevention measures in a comprehensive manner. This resource will be available for download from our company website in the second half of fiscal 2023.
III. Improving system quality
We are promoting the centralization of quality control authority from quality assurance depending on each business domain and organization. Specifically, in the SI business in Japan, the structure was changed to one in which the customer front division, Japan Global Gateway (JGG), and Global Delivery Center (GDC) worked together to implement projects, and quality regulations corresponding to this were issued, and quality control and risk monitoring based on company-wide quality standards were implemented internally in fiscal 2022.
While similar measures were planned for roll out to Fujitsu Japan in 2023, in light of the recent quality issues that have arisen in Fujitsu Japan, it has become apparent that we have not been able to effectively respond to these issues in time. In the area of administrative services used by residents in cities across Japan, there have been projects where quality control is insufficient.
a. Early centralization of quality control authority over Fujitsu Japan
Fujitsu Japan will immediately centralize quality control authority. Specifically, we will develop standardized project management, quality management, predictive detection through risk monitoring, and physical confirmation.
b. Permanent compliance with quality control over services to residents
There was a lack of consideration regarding implementation technology suitable for use situations and changes in users. Based on this cause, we will thoroughly implement additional fail-safe measures in the design, implementation, and testing of transaction uniqueness security in the certificate issuing process.
Furthermore, we will establish a third-party system to check the validity of the plan. Specifically, the Global Quality Management Headquarters will check systems that handle personal information, such as issuing certificates, at the planning stage of the project independently of business units. This will include determining whether the work processes and systems that ensure quality are incorporated and establishing a process to verify whether the system is actually implemented as planned in each process, and we will implement concrete and thorough application of this system to services for residents from May 2023.
c. Strengthening design, operation to support quality control and risk monitoring
Fujitsu will build a framework to more objectively evaluate quality and shipment decisions at development sites by placing information surrounding quality occurring at development sites, such as project progress, test density and defect detection rate, on the Fujitsu Developers Platform and combining it with EVM (Earned Value Management) and quality indicators for timely analysis. The system will be operational from October 2023.
We would like to express our deepest regret for the concern and inconvenience caused to many customers and other parties in Japan as a result of the aforementioned incidents. To ensure that Fujitsu can continue fulfilling its commitment to society and its customers, the strengthening of information security measures and the improvement of system quality are indispensable . Fujitsu will continue to make efforts to restore the trust of its customers and stakeholders throughout society and to realize its purpose of "making the world more sustainable by building trust in society through innovation.”
Fujitsu’s purpose is to make the world more sustainable by building trust in society through innovation. As the digital transformation partner of choice for customers in over 100 countries, our 124,000 employees work to resolve some of the greatest challenges facing humanity. Our range of services and solutions draw on five key technologies: Computing, Networks, AI, Data & Security, and Converging Technologies, which we bring together to deliver sustainability transformation. Fujitsu Limited (TSE:6702) reported consolidated revenues of 3.7 trillion yen (US$28 billion) for the fiscal year ended March 31, 2023 and remains the top digital services company in Japan by market share. Find out more: www.fujitsu.com.
Public and Investor Relations Division
Date: 19 May, 2023
City: Tokyo, Japan
Company: Fujitsu Limited