Photo/Illutration The Tokyo headquarters of Soliton Systems K.K., which developed the FileZen file-sharing server (Hidemasa Yoshizawa)

Cabinet Office officials failed to share information about a computer security breach for three months with local governments that also use the same file-sharing server.

An investigation into the FileZen server equipment developed by Soliton Systems K.K., a major IT equipment company based in Tokyo, found a breach in late January and that files had been illegally accessed, Cabinet Office sources said.

But it was not until April 22 that the Cabinet Office announced the breach and the finding that the personal information of 231 individuals had been leaked.

In the interim, the Cabinet Office did not inform local governments that also use the FileZen server about the security breach.

There was also apparently no attempt to encourage those local governments to conduct their own investigation into whether data from their files had been stolen.

Local government officials were not told about the extent of the stolen data at the Cabinet Office beyond the announcement.

An official with the Awara city government in Fukui Prefecture said, “We never received an explanation about damage from an illegal access so we felt all we had to do was update the program.”

Soliton Systems began offering a revised program from March 5.

“We are extremely worried (about a data leak) and are considering investigating the computer log file for signs of illegal access in the past,” the Awara city official said.

Other municipalities left computer matters up to outside contractors.

The Setouchi city board of education in Okayama had its outside contractor discuss the security breach issue with a Soliton Systems official.

“We did not receive detailed information from the contractor (about the server's vulnerability),” a Setouchi official said.

The Asahi Shimbun contacted seven public organizations before the Cabinet Office announcement about the security breach and none recognized any illegal access of their files.

However, Masakatsu Morii, a professor of information communication engineering at Kobe University, said, “We do not know if the cyberattack targeted only the Cabinet Office server so local governments should also investigate whether any of their files leaked.”

Morii was also critical of the fact that it took the Cabinet Office more than a month to announce the damage from its server after Soliton Systems released the revised program in early March.

“Announcing the findings will heighten a sense of the possible dangers and could prevent further damage,” Morii said. “An unintentional equipment malfunction is not the fault of anyone. That's why there is a need for a prompt announcement of the extent of the damage soon after the revised program was released.”

(This article was written by Tatsuya Sudo, a senior staff writer, and Hidemasa Yoshizawa.)