Security Breach: Power Plant’s Data Leaks Onto Net

THE PROBLEM: Sensitive documents about a Japanese thermal power plant–including a list of the names and home addresses of the plant’s security personnel–were uploaded to an Internet file-sharing network by a program an employee installed on his computer.

The documents provided information about a power plant in Owase, in central Japan, operated by Chubu Electric Power. They included details of the location of the control room, instrument panel room and boilers, according to an article in The Japan Times. The incident was disclosed by security officials May 15.

Also leaked were manuals about dealing with “unconfirmed reports of intruders” at the plant, along with personal information about guards who work for the plant’s security firm, according to the article.

Click here to read Baseline‘s 5-Step Security Survival Guide.

The information was passed to the Internet through a Japanese file-sharing program called Share, installed on the computer of a 40-year-old employee of the plant’s security firm, after the computer was infected with a virus. He had started to use Share in March, according to Japan Times.

The breach followed a similar incident in January, in which technical information from another Chubu thermal power plant leaked onto a file-sharing network from the virus-infected home computer of an employee. According to a Chubu statement, that information included a form used to record inspections as well as some inspection records, but didn’t include any information about nuclear materials, customers or power supplies.

KEY LESSON: Make sure all computers that contain sensitive corporate data are protected from viruses and other Internet attacks–including those of contractors and employees’ home computers–and enforce a policy of banning Internet file-sharing software from corporate PCs.

Graham Cluley, a senior technology consultant for U.K.-based antivirus software vendor Sophos, believes Chubu and other Japanese companies have been targeted by virus writers who have written malware specifically to disclose data over file-sharing networks. “All businesses need to take steps to ensure that employees’ use of company data is secured and controlled,” he says.

Do you have a tip about an information-systems snafu? Send it to [email protected].