Japanese conglomerate Panasonic Corp. has disclosed that job applicant and business partner data were stolen in a breach that the company first revealed in November.

The company still didn’t reveal the exact details of how the data breach took place in its Jan. 7 announcement, instead referring to the incident as unauthorized access to a computer file server. Panasonic did say that an investigation had found that the breach of a file server in Japan had come via a server of an overseas subsidiary. The original report in November suggested that this was Panasonic India.

Although the data breach was first detected on Nov. 11, previous reports suggest that the breach involved unauthorized access starting June 22.

Panasonic has confirmed that candidate application and internship information, including personal information, had been accessed and that those affected had been contacted. Business information, including business-related information provided by business partners and information gathered internally by the company, also resided on the server. It’s being analyzed and reported to affected business partners individually.

The company noted that no consumer-related information resided on the unlawfully accessed server.

Panasonic added that it had implemented additional security countermeasures, including strengthening access controls from overseas locations, resetting relevant passwords and strengthening server access monitoring. The company also committed to continuing to improve its information security measures, including enhancing the monitoring, control and security of its networks, servers and personal computers throughout its global operations.

Though still not confirmed, the implication, given that access came via a subsidiary, is that user login details were accessed at Panasonic India, giving those behind the data breach access to the server in Japan.

“Reports confirming hackers gained access to Panasonic’s networks and personal information for job candidates and interns are troubling given the ramifications if the data falls into the wrong hands,” Danny Lopez, chief executive officer of file protection company Glasswall Solutions Ltd., told SiliconANGLE.

Lopez explained organizations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. “It’s vital to control privileged access and to monitor those that enjoy that administrator privilege,” he said.

Gal Helemski, chief technology and co-founder of authorization and identity access management solutions provider PlainID Ltd. referred to the fact that it was likely internal credentials involved in the data breach.

“Organizations must adopt a ‘zero trust’ approach, which means trusting no one – not even known users or devices – until they have been verified and validated,” Helemski said. “Access policies and dynamic authorizations are a crucial part of the zero trust architecture; they help to verify who is requesting access, the context of the request, and the risk of the access environment.”

Photo: Panasonic