It’s unlikely that one Japanese man will join his colleagues for after-work drinks again following their last night out, when officials said he lost a USB stick containing the personal data of nearly half a million people.
The man, who has not been named, transferred the data Tuesday and then went to a restaurant with three colleagues, according to Yuji Takeuchi, president of Tokyo-based Biprogy Inc., which was contracted by the Amagasaki city government to manage its financial aid program during the coronavirus pandemic. In a statement on Sunday, Biprogy said the man worked for a company that had been subcontracted by Biprogy’s own subcontractor.
The USB contained the home addresses and bank account details of every one of the 460,000 residents of Amagasaki, officials in the small industrial city in Japan’s Hyogo prefecture said in a statement Thursday. It also identified households receiving public assistance, they said.
Speaking at a news conference Friday, Takeuchi said the man “was in possession of his bag when he left the restaurant,” but then he “fell asleep on the street.” He woke up at 3 a.m. and went home before calling work six hours later to inform them he was taking the day off, Takeuchi added.
“At this time, there was no report of the loss of the bag,” Takeuchi said. That afternoon, the man reported the missing USB stick to his manager, he added.
“Nomikai,” or drinking parties after work, is common in Japanese workplaces and used to foster close employee relationships. They are nonetheless expected to show up at the office in the morning.
All’s well that ends well, however: The man was able to retrieve his bag with the help of his cellphone company, Takeuchi said.
Akiyoshi Hiraoka, the CEO and president of Biprogy, told the same news conference that the encryption and passwords on the two devices had not been changed.
He added that the man had breached company rules by transferring the data to portable media like USB sticks. He said the company had not decided how to punish the man, but it would take strict measures after reviewing the facts.
Takeuchi said the company would be monitoring the dark web to make sure the data had not been leaked.
Given that the company was a subcontractor, the city’s government could also be liable for not effectively monitoring the data processing, Tatsuya Tsunoda, an associate at the Nishimura & Asahi law firm in Tokyo, told NBC News by email Friday.
If data is lost or damaged, “the third-party contractor must immediately notify of such data incident to the entrustor and then the entrustor must report it to the Personal Information Protection Commission and also must notify data subjects,” he said.
The council said in its statement that a committee of outside experts would be set up to investigate the incident and prevent it happening again.