Mitsubishi Electric Corp., under fire for its belated disclosure of a huge cyberattack, said personal information of more than 8,000 applicants, employees and retirees might have been leaked since June last year.

However, the leading manufacturer of defense, infrastructure and transportation equipment on Jan. 20 did not divulge any details about information related to its customers, such as government organizations and private-sector companies.

The company said it became aware of the suspected illegal access to its computers and networks on June 28.

The potentially leaked information includes the names and addresses of 1,987 new graduates who joined Mitsubishi Electric between October 2017 and April 2020, and mid-career workers who applied at the company from 2011 to 2016.

The names of 4,566 employees at the company’s headquarters who answered a questionnaire about the personnel system in 2012, as well as places where they worked might have also been leaked.

In addition, the leaks may include the names, birthdates, telephone numbers and other data of 1,569 retirees who received benefits from the Mitsubishi Group pension fund between 2007 and 2019, the company said.

The company is sending letters to those possibly affected to apologize for the suspected leaks and to explain what had happened.

The hackers gained access to Mitsubishi Electric’s data on more than 10 government organizations and dozens of businesses, including major companies involved in social infrastructure, according to officials familiar with the attack and the findings of the company’s in-house investigation.

The company did not explain why it has not disclosed the number of customers potentially affected or their line of work.

Mitsubishi Electric has denied any leaks of “sensitive” data in the defense, electric and railway industries. It also said “classified” information on technology and “vital” data about its customers were safe.

But the company does not have any guidelines that define the boundaries of “sensitive,” “classified” and “vital” information, sources said.

After Mitsubishi Electric finally announced the cyberattack on Jan. 20, Defense Minister Taro Kono said the same day that the company has reassured the ministry of “no leak being confirmed about the ministry’s sensitive data.”

A senior official with the Ministry of Economy, Trade and Industry criticized the company for waiting six months before going public with the cyberattack.

“Mitsubishi Electric should have disclosed the incident sooner because it could have served as a warning to other companies,” the official said.

The Defense Ministry’s Acquisition, Technology & Logistics Agency said it was alerted by the company about the cyberattack in August.

But most of its business partners in the private sector were left in the dark until The Asahi Shimbun broke the news on Jan. 20.

A railway operator in the Tokyo metropolitan area and other businesses said they learned about the cyberattack “for the first time” after reading the newspaper article.

Some leading electricity companies and automakers scrambled to confirm with the company whether their information was leaked.

An official with a financial institution said on Jan. 20 that Mitsubishi Electric has provided no explanation so far.

The company appears to be contacting only business partners whose information might have been significantly compromised, but it is still not giving the entire picture of the breach.

Although Tokyo’s Metropolitan Police Department is collecting information on the cyberattack, Mitsubishi Electric said it is not consulting with investigative authorities because of a lack of hard evidence showing data theft, according to the sources.

Hisashi Sonoda, a professor of criminal law at the Konan Law School in Kobe, said the cyberattack on Mitsubishi Electric is clearly a crime.

“What happened at the company constitutes illegal access under the control law of unjustifiable access,” he said.

Sonoda underscored the importance of promptly providing details about hacking to the government and investigative authorities so that they can work to prevent new online attacks.

“A method similar to the one used to breach data at Mitsubishi Electric could be used in an attempt to gain unauthorized access to other computer networks,” he said. “(How to prevent) such hacking is an issue that concerns not only the affected company but also the whole country.”

Sonoda called on Mitsubishi Electric to share information on the unauthorized accesses with the government and major companies to help protect other computer networks.

Mitsubishi Electric acknowledged that it waited until this month to report the potential data leak concerning the 8,122 people to the government’s Personal Information Protection Commission.

Guidelines under the law on protecting personal information call on companies to promptly report personal information leaks to the commission.

(This article was written by Hisashi Naito and Yoshitaka Ito.)