Japan: Issued PPC guidance to MK System Inc. under the Personal Information Protection Act

On 25 March 2024, the Personal Information Protection Commission (PPC)issued a ruling based on Article 147 of the Personal Information Protection Act, providing guidance to MK System Co., Ltd. This action was taken following unauthorised access to MK System's servers in June 2023, which resulted in the encryption of personal data managed on its system by ransomware. The compromised system contained sensitive data on up to 22.42 million people, including names, dates of birth, genders, addresses, basic pension numbers, employment insurance numbers, and employee numbers. Despite the breach, there has been no confirmed secondary damage from the misuse of personal data. As a result, MK System was instructed to take appropriate and necessary measures to prevent a recurrence, ensure proper operation and continuously manage the security of personal data.