author photo
By Bruce Sussman
Wed | Jan 22, 2020 | 11:19 AM PST

Mitsubishi Electric announced this week that hackers used a cybersecurity defense tool to hack into its network and steal data.

How did hackers access Mitsubishi Electric?

The company revealed it was a Zero-Day vulnerability in its antivirus software that hackers used to access its network. It did not identify which antivirus vendor or product was involved, but it explained the result of the attack:

"We have confirmed that trade secrets may have leaked to the outside."

Mitsubishi Electric builds satellites, AI-based wastewater treatment controls, electroplating machines, and many other things for all kinds of industries and infrastructure.

Japanese media reports suspect China in the cyberattack. Although Mitsubishi Electric did not comment on who might be behind the data breach, it did recently announce it won a design infringement case in China.

What type of data was stolen in Mitsubishi Electric data breach?

While the company admits trade secrets may have been taken, its statement confirms that sensitive information on its critical infrastructure products was not taken. 

The hackers also took this information, according to the company:

  • Employment applicant information (1,987 people)
  • Employee information (4,566 people)
  • Information on retired employees of affiliated companies (1,569 people)

Mitsubishi Electric data breach timeline

News of the Mitsubishi Electric data breach surfaced on January 20, 2020, through a brief statement.

However, a follow-up statement that revealed the antivirus attack vector indicates the company noticed unusual activity in June 2019 and began restricting network access to the attackers.

Its investigation was hampered, it says, because hackers deleted critical log files that would have revealed more about their activity on the network.

Regardless, six months is a long time to wait to announce a data breach. A long time, but well within Japanese law. In fact, reporting a data breach in Japan is a suggestion and not a requirement, according to law firm DLA Piper:

"It is not legally required to report a data breach incident to the PPC or to notify the relevant data subjects. However, the PPC guidelines recommend that this notification be made and it is the market standard practice to report data breach incidents in Japan. Not doing so and instead having the breach discovered publicly would have a potentially massive negative impact on brand image and reputation in Japan."

Mitsubishi Electric announces a growing focus on cybersecurity

Interestingly, the month after the attack was discovered (and long before it was announced), Mitsubishi Electric published a special report on its information security practices:

"The Mitsubishi Electric Group practices confidential corporate information management and personal information protection utilizing a continuous improvement approach implemented using the Plan, Do, Check, Act (PDCA) cycle, and employs four security measures to ensure proper management and protection of confidential corporate information and personal information from
the organizational, human, physical, and technological perspectives."

Read PDF: Mitsubishi Electric Group Information Security Report 2019

Related: Mitsubishi Electric Announces Data Breach

Listen to The SecureWorld Sessions podcast: "Bug Bounties = Security Patches (How?)"