Technology

A hacking attack at Japan’s largest IT company is spilling across the country’s corporate sector, with cyber security experts warning that it could trigger a surge in attempts by organised criminal gangs to extort hefty ransoms from companies and their customers.

More than 10 Japanese companies have said in the past month that they have been affected by the hacking at Fujitsu, which supplies internet infrastructure to thousands of companies. The attack took place last year and allowed outside access to emails sent through a Fujitsu-based email system.

Fujitsu admitted last year that it was hacked but refused to disclose how many of its customers were targeted.

Tokio Marine & Nichido Fire, which is one of Japan’s largest underwriters of corporate insurance against cyber attacks and a prime target for ransomware gangs, acknowledged to customers last month that it was one of the companies potentially affected by the Fujitsu leak, according to two sources.

Tokio Marine began writing to its corporate clients to discuss the possible impact of the breach and the potential loss of sensitive data, said two people familiar with the matter.

“The response from Tokio Marine is very significant. Clients of insurers share a lot of data that ransomware gangs target, and there will be a lot of concern around what kind of access the hackers got,” said one cyber security analyst who advises a large listed company affected by the incident.

Tokio Marine said it took the situation seriously and was addressing the incident.

The technology giant Kyocera, clothing maker Goldwin and property developer Sekisui House have all said within the past month that they are also among the companies affected by the Fujitsu incident.

Cyber security experts said that the attack on Fujitsu was consistent with the tactics of highly professionalised gangs in Russia and Belarus who target Japanese companies and organisations because they often have relatively low-level defences, and their willingness to pay a ransom tends to be high. Experts said that the Cuba and LockBit ransomware gangs had been especially active in Japan over the past 18 months.

The cyber security consultancy IBM Security said in its 2022 report on the cost of data breaches that ransomware attacks were sharply on the rise, with the global average cost of a data breach rising to $4.35mn in 2022 — its highest since the research began.

The average global cost to companies of suffering a ransomware attack, said IBM, stood at $4.54mn, which did not include the payment of the ransom itself.

Fujitsu said it launched an internal investigation into the incident after it received information from the police on December 9. The company has apologised and said it was investigating and co-operating with affected clients.

It was the second significant attack on the group in as many years. In 2021, Fujitsu’s cloud service for government agencies was targeted by hackers, resulting in a data breach at the foreign ministry, the cabinet office and other ministries.

The world’s largest tech companies are expected to “circumvent” the British government’s special tax on digital companies before new international rules are implemented, MPs have warned.

In a report published on Tuesday, the House of Commons public accounts committee found that the digital services tax raised £358mn from 18 companies in its first year — 30 per cent more than expected. But it warned the “successful implementation” of the levy in 2020-21 was unlikely to continue.

It said that, since implementation of an international tax deal — set to replace the levy — was likely to be delayed, it expected companies would use “the huge resources and expertise at their disposal to circumvent” the digital services tax.

“While there may be no evidence of active tax avoidance or evasion by businesses to date, this may change if the life of the digital services tax is extended,” the report, which did not name any companies, concluded.

Ministers brought in the new digital services tax in 2020 as a temporary measure to address concerns that tech companies were declaring low profits in the UK by diverting profits made on UK sales to other countries with lower corporate tax rates.

Other countries, such as France, Spain, Italy and Turkey, implemented similar measures. Most, including the UK, have said they would repeal the levy once an OECD agreement, which would allow countries to tax an element of the largest multinationals’ profits where they make their sales, is implemented.

Although the process is progressing at the Paris-based international organisation, there are few signs that the US Congress will ratify any agreement even if the Biden administration were to sign up.

Sarah Olney, the Liberal Democrat MP who led the PAC inquiry, said: “We were very pleased to see [HM Revenue & Customs] finally getting to grips with the realities of taxing multinational corporations . . . But [HMRC] needs to up its game on compliance — especially across jurisdictions — about how the tax will actually operate, over what will probably be years more before a proper international tax is fully operational.”

Neil Ross, associate director of policy at industry group TechUK, rejected the report’s suggestion that businesses would seek to find ways to circumvent the tax as “surprising and unfounded”. He added: “From our perspective, companies are trying to get clarity and information out of HMRC in order to comply. But HMRC was very slow and not effectively resourced.”

But he agreed that the tax was a “second-best option . . . Political attention should be focused on getting the OECD framework agreed.”

The Treasury and HMRC also dismissed the PAC’s warning that companies would circumvent the tax, saying it was relatively easy to operate. Officials said the tax system also had other ways, including the diverted profits tax, to ensure tech giants paid their fair share.

“The digital services tax has proved highly effective at taxing the UK revenues made by online businesses ahead of new international rules,” HMRC said. It added that it had “an extremely strong track record on multinational tax compliance”.

The UK’s data watchdog has fined TikTok £12.7mn for breaking the law on the protection of children’s data, amid mounting global concern about the Chinese-owned social media app.

The Information Commissioner’s Office on Tuesday said it estimated that up to 1.4mn UK children aged under 13 had used the viral-video app in 2020, even though TikTok’s own rules forbid children younger than 13 from creating accounts.

The platform had failed to gain parental consent to use children’s data, contravening UK data protection laws, the regulator said.

“TikTok should have known better, TikTok should have done better,” said John Edwards, the UK information commissioner.

The group has a right to appeal the fine within 28 days. “We will continue to review the decision and are considering next steps,” it said.

The fine, the first issued by the ICO for under 13s accessing an online service, comes as TikTok faces a regulatory onslaught from governments around the world.

TikTok’s chief executive was grilled by US legislators last month as the social media app attempted to head off a potential US ban over national security fears linked to its Chinese ownership.

A number of jurisdictions, including the UK, EU, Canada and the US, have banned TikTok from government devices.

In response to mounting pressure, TikTok last month laid out new measures to protect users’ data in Europe. It will open two data centres in Dublin and a third in Norway to store videos, messages and personal information generated by 150mn European users of the platform.

The ICO investigation found that TikTok “did not respond adequately” when a concern was raised internally with senior employees about children under 13 using the platform.

TikTok said it had taken steps to prevent children from accessing its platform. It also publishes information on how many accounts are linked to users it suspects are under 13.

The social media app said it removed more than 17mn accounts in the last three months of 2022.

“We invest heavily to help keep under-13s off the platform and our 40,000-strong safety team works around the clock to help keep the platform safe for our community,” said TikTok.

The UK government is set to introduce its Online Safety Bill, which will bring in tougher requirements for social media companies and could lead to jail sentences for tech executives who fail to protect children online.

The ICO’s investigation into TikTok, which covered activity from May 2018 to July 2020, concluded before the regulator introduced stricter requirements on the processing of children’s data.

TikTok’s fine was reduced from a £27mn charge proposed in September, after the regulator dropped findings relating to the processing of “special category data”, such as personal or biometric data.

Baroness Beeban Kidron, who founded children’s privacy charity 5Rights Foundation, said the tech sector should “accept the principle of delivering products and services with basic safety built in by design”.

“The future of tech will not be built on the back of children’s anxiety, inappropriate content and dangerous activities — but will be an accountable and regulated sector that prioritises the impact on children over profits,” she added.

The Federal Trade Commission has ordered Illumina to divest cancer screening company Grail, arguing the $8bn acquisition would damage competition in the US market for life-saving cancer tests.

The decision reverses an earlier ruling by an administrative law judge in favour of the deal and marks the latest setback to the San Diego-based company’s efforts to diversify into the nascent market for multi-cancer early detection tests.

The US antitrust regulator issued an opinion and order on Monday, which found Illumina’s decision to buy Grail, a company that it had initially spun out in 2016, would diminish innovation in the domestic market for the oncology tests while increasing prices and decreasing choice and quality of tests. It rejected Illumina’s claim that the acquisition would accelerate the rollout of Grail’s oncology tests and save lives, noting the company’s projections were “vague, self-serving, and unsupported”.

“This is extremely concerning given the importance of swiftly developing effective and affordable tools to detect cancer early,” said the FTC in a statement.

Illumina said it intends to file a petition for review promptly with a US Court of Appeals and will seek expedited treatment of the appeal. The FTC’s order to unwind the acquisition will be automatically stayed pending appeal, said the company.

The ruling by the FTC follows a similar move by European regulators aimed at unpicking Illumina’s purchase of Grail. The world’s biggest gene sequencing company made a contentious decision to close its acquisition of Grail in August 2021 despite opposition from the European Commission and FTC.

The commission is expected to fine Illumina up to 10 per cent of its annual turnover and issue a final divestment order shortly.

Illumina’s battle with antitrust regulators has sparked a proxy battle with activist investor Carl Icahn, who claims the deal cost Illumina up to $50bn in market value.

On Monday, Icahn reiterated his criticism of Illumina’s decision to close the Grail deal and repeated his call for the removal of the chief executive, Francis deSouza.

“We believe it is unconscionable that the board of directors still entrusts Mr deSouza with running our potentially great company. During his tenure, not only has the company lost $50bn of shareholder value but many of his talented executives have left or are in the process of leaving,” said Icahn in a letter to shareholders.

In September, an administrative law judge sided with Illumina over the acquisition of Grail, which had argued the deal would not hurt competition. The FTC opinion and order on Monday override that ruling.