Photo/Illutration Leaked information related to a VPN device manufactured by Fortinet of the United States posted to a site used by hackers (Tatsuya Sudo)

People working from home due to the novel coronavirus pandemic may want to think twice about consulting the National Police Agency about computer security.

The agency failed to stop hackers from breaking into one of its personal computers 46 times between August 2019 and mid-November this year, red-faced officials announced on Nov. 27.

“It's extremely embarrassing that the NPA was successfully attacked when it should have a computer security system that is unbreachable,” a high-ranking NPA official said.

The breach revolved around the virtual private network (VPN) the agency provides to outside companies that it has dealings with. VPN devices have been in wide use by those working from home because they are used to connect to company computer networks.

The hacking at the NPA stemmed from the theft of IDs and passwords to access the VPN.

The hacked computer was used to exchange contract-related data with outside companies. The VPN allowed those companies to directly access the NPA computer.

NPA officials are confident that the data was not leaked because all exchanges are deleted from the computer after an exchange over a specific contract is concluded.

NPA officials said they learned about the breach from officials at the Metropolitan Police Department.

Since mid-November, a hacking group had posted a list of about 50,000 VPN devices, including the one used by the NPA, on a bulletin board site. Sources said someone tipped off the Metropolitan Police Department about the list and those officials in turn informed the NPA.

The Asahi Shimbun analyzed the list with the help of outside experts and found 5,600 IP addresses in Japan were on it. The number was second only to the 7,700 or so IP addresses in the United States.

Identifying the organizations possessing the IP addresses led to small businesses, local governments and educational institutions in Japan.

One of the educational institutions was Sapporo University in Hokkaido, which on Dec. 4 announced that the ID information of nine employees had been stolen by hackers.

The VPN devices on the list were all manufactured by Fortinet of the United States. In May 2019, the company announced a fatal flaw in the device that could allow hackers access to the VPN and called on all users to update it with a revised program.

But the hackers who posted the list apparently searched for and found VPN devices that remained vulnerable because the program had not been updated.

It remains unclear why the list was posted in the first place, but the subsequent breaches of VPN devices that were on the list likely means that others with bad intentions used the information on the list to hack computers.

This is not the first time VPN devices have been targeted by hackers.

In August, it was learned that VPN login information from roughly 900 companies and other organizations from Japan and abroad was uploaded in June and July to a website used by Russian hacking groups.

The information was stolen through vulnerable VPN devices manufactured by U.S.-based Pulse Secure, which has since been taken over by another U.S. company.

While the company had also revised its software program in April 2019, 3 percent of users had not switched over to the safer program as of April 2020. Hackers likely targeted companies that had not upgraded the program.

The Japan Computer Emergency Response Team (JPCERT) Coordination Center has spread the word about problem programs and devices and contacted individual computer users to help them correct their computer problems.

But one JPCERT official said it was difficult to track down all problems because many companies leave computer installation matters up to outside contractors and there may be several layers of companies that have to be contacted to gain the proper information.

(This article was written by Senior Staff Writer Tatsuya Sudo and Senior Staff Writer Shimpachi Yoshida.)