Mitsubishi UFJ Financial Group, Inc. Data Breach (2009)

The Yomiuri Shimbun has an article on the Mitsubishi UFJ breach reported earlier this week that suggests difficulties the prosecutors may face. In this case, a (now-former) employee allegedly used a co-workers credentials to access a database to which he already had authorized access. Using the co-workers credentials, he accessed and copied data on 1,486,651 clients onto a CD, and then e-mailed data on 49,159 clients from his home computer to three personal list dealers, receiving 328,000 yen ($3,272.11) for the records. When he came under suspicion in March, he reportedly turned the CD over to the company. And therein may lie the prosecutorial rub: Under the law regulating illegal access to information via computer networks, it is not considered illegal for an individual with the right to access certain information to take this information with them in another form. However, it bans individuals accessing such information using somebody elses ID or other personal data without permission. So there may be no charges of data theft, and had he used his own credentials, he might not be facing any charges at all? As it is, he faces up to one year in jail and a $5,000.00 fine, because using his colleagues credentials made the situation unauthorized access.