Fujitsu has warned that cybercriminals may have stolen files with personal and customer data after it discovering malware on its computer systems.
The firm at the center of the British Post Office scandal, said in a Japanese press release that it had discovered the presence of malware on its computers, the potential theft of customer data, and apologised for any concern or inconvenience caused.
The press release (a Google-translated version can be read here), is somewhat scant on detail.
For instance:
- Fujitsu doesn’t disclose the malware found, the number of affected computers, or the internal systems or databases accessed.
- Fujitsu doesn’t specify the type of malware found – a remote access backdoor? ransomware? something else?
- Fujitsu doesn’t share details about the stolen information, calling it “personal information and customer information.” For instance, does it include contact details, passwords, or payment information?
- Fujitsu announced on Friday 15 March that it suffered a cyber attack, but didn’t specify when it was discovered or how long the hackers had access to its systems and data.
Fujitsu says it has reported the incident to regulators and will contact affected individuals and customers.
The company also says that it has not seen any reports of the potentially stolen information being misused. Statements like these are meant to reassure affected parties, but they don’t make you feel much more comfortable in reality.
An absence of evidence is not evidence of absence. How could a company ever confidently and honestly claim it has incontrovertible proof that exfiltrated data has not been exploited by malicious hackers and online fraudsters?
In the past, there have been many incidents where data stolen in a hack has not immediately shown up, before appearing on the dark web months or even years later.