The Yomiuri Shimbun has an article on the Mitsubishi UFJ breach reported earlier this week that suggests difficulties the prosecutors may face.
In this case, a (now-former) employee allegedly used a co-worker’s credentials to access a database to which he already had authorized access. Using the co-worker’s credentials, he accessed and copied data on 1,486,651 clients onto a CD, and then e-mailed data on 49,159 clients from his home computer to three personal list dealers, receiving 328,000 yen ($3,272.11) for the records. When he came under suspicion in March, he reportedly turned the CD over to the company. And therein may lie the prosecutorial rub:
Under the law regulating illegal access to information via computer networks, it is not considered illegal for an individual with the right to access certain information to take this information with them in another form. However, it bans individuals accessing such information using somebody else’s ID or other personal data without permission.
So there may be no charges of data theft, and had he used his own credentials, he might not be facing any charges at all? As it is, he faces up to one year in jail and a $5,000.00 fine, because using his colleague’s credentials made the situation “unauthorized access.”
When a similar situation occurred here in the Certegy breach, the employee faced up to 10 years in prison.
If any reader has some expertise on Japanese law, feel free to comment: is there really so little criminal prosecution and penalty for stealing and selling personal information?