Japanese electronic company Casio Computer Co. Ltd. has suffered a data breach, and the company warned that data from customers in Japan and internationally has been stolen.

According to Casio’s breach notice Wednesday, which also included an apology, the data breach involved an external party gaining unauthorized access to the server for the company’s education web application “ClassPad.net.” The breach resulted in the leak of personal information of some registered customers inside and outside of Japan.

The breach was partly discovered on Oct. 11 when an employee attempted to work in the development environment and discovered that a database failure had occurred. Casio then assessed the failure, finding by Oct. 12 that the personal information had been accessed.

The personally identifiable information accessed included customers’ names, email addresses, country/region of residence, purchasing information, including order details and payment method, and service usage information.

Some 91,921 records belonging to customers in Japan were accessed, including individuals and 1,109 education institution customers. In addition, 35,049 records belonging to customers in 148 countries outside of Japan were accessed.

Where the breach becomes more interesting is that though most companies will avoid disclosing further details, such as how the attackers gained access, Casio has not been shy and has admitted up front that the breach was due to human error.

“It has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management,” the company explained. “Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access.”

The breach was limited to one database in the development environment and Casio says it has no evidence of any unauthorized intrusion into other assets. The database in question remains offline, law enforcement and regulatory bodies have been contacted, and Casio is working with an external security organization to conduct further investigations and devise appropriate countermeasures in response to the incident.

“This breach highlights the importance of testing web applications in production,” Ray Kelly, fellow at the Synopsys Software Integrity Group, told SiliconANGLE. “While conducting application security testing in pre-production is a good security practice, it does not, however, allow applications to evade security issues – such as server and network misconfigurations or problems in the supply chain via the build pipeline – once deployed to production.”

Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., said that because the breach was caused by humor error, “it’s important that any changes impacting cybersecurity be reviewed prior to implementation and that all security settings be periodically reviewed for accuracy. It shows the importance of change control and configuration control. These can be considered ‘boring topics’ by some, but are must-haves if an organization is expected to stay secure as it can over the long run.”

Image: DALL-E 3