The hacking of technology giant Fujitsu has hit the company’s credibility yet again, ratcheting up pressure on the company days after the UK Government introduced legislation to resolve the Post Office debacle that Fujitsu errors created.
Admission of the compromise came via a terse press release in which the company “confirmed the presence of malware on several of our company’s work computers” and said that an internal investigation had revealed that “files containing personal information and customer information could be illegally taken out [translation by Google].”
The affected business computers were “immediately disconnected”, the company said, adding that it had taken other measures to “strengthen monitoring of other business computers”, and to “investigate the circumstances surrounding the malware’s intrusion and whether information has been leaked.”
In anticipation of data having been leaked, Fujitsu said the incident had been reported to Japan’s Personal Information Protection Commission even though the company has “not received any reports of personal or customer information being misused.”
Scepticism about the breach of one of the world’s largest IT services providers – which employs over 124,000 people and has global revenues of $21.6 billion ($US14.2 billion) according to its latest financial reports – emerged quickly, with security commentator Graham Cluley noting that “in the past, there have been many incidents where data stolen in a hack has not immediately shown up, before appearing on the dark web months or even years later.”
Fujitsu “deeply apologise[s] for the great concern and inconvenience to all involved”, the company said, but did not share any information about whether the detected malware was in fact ransomware or some other type of data-stealing malware.
Payback for Post Office role?
Given the lack of clear details about the attack, it is not clear whether the hack is related to the company’s role in the ongoing UK Post Office Limited (POL) scandal – in which hundreds of former subpostmasters were convicted, jailed, financially ruined, socially ostracised, and died by suicide after being blamed for accounting discrepancies that were in fact caused by errors in the Fujitsu-built Horizon IT system.
The UK government this month moved to legislate a mass exoneration of the subpostmasters, just weeks after Fujitsu management apologised for the company’s role in the long-running miscarriage of justice – including helping POL shift blame onto the subpostmasters, hide system issues from prosecutors, and ignore victims’ requests for clarity about the systems upon which their livelihoods depended.
That series of events has raised questions about Fujitsu’s ongoing close relationship as a service provider to the UK Government, which had awarded Fujitsu $3.88 billion (£2 billion) worth of contracts before 2019 – when a UK court ruled that Horizon’s defects, and not the subpostmasters, were to blame – and an additional $2.72 billion (£1.4 billion) worth of contracts since then.
In that ruling, the court found that Fujitsu – which this year undertook not to take on new UK Government contracts for the next two years – had shown “a pattern of considerable defensiveness over the Horizon System” with “a lack of transparency, and a lack of accuracy in description” including deception by the company around “powers which, until shortly before the trial started, Fujitsu sought to keep from the court, and may not have even fully disclosed to the Post Office.”
Such duplicity, and the protracted and repeated suffering the whole event imposed on hundreds of British families, would not have gone unnoticed by hacktivists – who, security firm Radware observed in its recent 2024 Global Threat Analysis Report, “use their skills to… hold powerful organisations and governments accountable for their actions.”
A targeted attack on Fujitsu would therefore be consistent with what Radware – which monitors sites such as Telegram, which it describes as “the new ‘underground” for hackers – described as an intensifying climate of hacktivist activity that has been fuelled by Israel’s invasion of Gaza and Russia’s invasion of Ukraine.
Similar reports from other security groups – including Dragos, which recently observed “hacktivists praying on pervasive security weaknesses”, and CrowdStrike, which noted that attacks on technology companies comprised 23 per cent of all observed intrusions – confirm that the recent hack could well be related to the POL scandal.
It’s not the first time Fujitsu has been called up for poor security: in July last year, the Japanese government took the rare step of chastising the company for poor data security that had affected at least 1,700 companies and government agencies.
In 2021, Fujitsu was forced to discontinue its ProjectWEB collaboration and project management software after numerous government agencies were compromised through a security vulnerability in that platform.