Tokyo Gas Subsidiary Breach Exposes Millions of Customer Records, Impacting Dozens of Firms

A significant data breach has potentially exposed the personal information of 4.16 million customers across 51 gas and water companies. The leak stems from unauthorized access to a subsidiary of Tokyo Gas, Tokyo Gas Engineering Solutions (TGES), which had been contracted to manage various operational tasks for these companies. Attackers reportedly infiltrated TGES’s internal servers via a compromised VPN (Virtual Private Network) device, stealing data that includes personal information used for system operations.

A Growing National Issue

Since July 2024, various city gas and water companies, as well as local governments, have been issuing public apologies and responses as they assess the extent of the breach. The unauthorized access at TGES has created a ripple effect, potentially compromising customer data from many businesses that outsourced their operations to the Tokyo Gas subsidiary.

Examples of Companies Affected

  • Keiyo Gas (Chiba Prefecture): As of July 18, approximately 810,000 customer records were reported potentially leaked.
  • Hokkaido Gas: By July 19, around 690,000 records were suspected to have been compromised.
  • Koshigaya Matsubushi Waterworks Enterprise Group (Saitama Prefecture): Around 193,000 customer records may have been exposed.
  • Fukuoka City Waterworks Bureau: Approximately 224,000 cases of customer information might have been leaked.

These are just a few of the companies impacted, with over 30 businesses in total confirming potential data leaks. This includes the Kumamoto City Waterworks Bureau, Nagaoka City Waterworks Bureau (Niigata Prefecture), and Okayama Gas, among others.

Scope of the Breach

The breach was first made public on July 17, 2024, when TGES revealed that customer information had been accessed by unauthorized individuals. In total, 4.16 million records were compromised, including data that TGES managed for various gas and water companies. However, the breach did not affect the personal information of Tokyo Gas customers who use its gas or electricity services, as Tokyo Gas manages its own pipelines internally. There is a possibility, though, that some corporate data on Tokyo Gas users might have been leaked.

Investigations and Responses

Investigations are ongoing as TGES and the affected companies work to assess the full scope of the damage and prevent further breaches. Authorities are also investigating how the attackers managed to exploit the VPN device to gain access to sensitive internal systems. The incident has raised questions about the security measures in place at both Tokyo Gas subsidiaries and its subcontractors.

As more details come to light, customers affected by this breach are encouraged to monitor their personal information and take necessary precautions to protect against identity theft or fraud.

Sources: https://www.metro.tokyo.lg.jp/ , Redit