How Content Security Could Have Prevented the Fukuoka COVID-19 Patient Data Breach

On January 6, 2021the Fukuoka prefectural government of Japan announced that the names, location, and age of 9500 people infected with COVID-19 had been leaked on the Internet. The breach occurred when a government employee mistakenly sent a link to the Excel file stored on Google Drive to an outsider. The file was accessible via the Internet for over a month.

Let’s examine how this breach unfolded, and how it could have been prevented. The information was intended to be shared with healthcare providers in the region to assist in providing care to those affected. Therefore, it can be said that there was a legitimate need to share the information outside of the government. However, it is clear that the steps to secure the information and access to it were insufficient. When sharing sensitive information, both the method of transfer of the data, and the data itself must be secured. Otherwise, it is vulnerable when human error happens such as this case.

While cloud file sharing platforms should not be discounted entirely, a publicly accessible service like Google Drive should not be used for sharing sensitive personal information. There are more secure file sharing solutions such as 689Cloud's SecureDrive that provide more limited access to the content being shared, as well as protection of the data itself.

However, protecting the storage and transfer of the information is not enough. If access is mistakenly provided by human error as in this case, the information may still fall into the wrong hands. Password encryption is the most popular method of protecting sensitive data files, but it too can be breached if the password is re-shared. Furthermore, password encryption does nothing to prevent leakage of the information by the intended recipient. If the healthcare provider decrypts the file, which he can do because he has the password, and then re-shares the unencrypted file with others, the information is breached.

This is where content security technology comes into play. At 689Cloud, we apply digital rights management (DRM) to protect the encrypted data. Rather than use a password which can be re-shared to access the document, the recipient must authenticate their identity using multi-factor authentication. In this way, even if the file mistakenly falls into the wrong hands, it cannot be viewed or opened. In this way, we can assure that sensitive information can only be viewed or opened by the authorized and authenticated recipient.

Human error cannot be completely eliminated. It is the mission of security technology, and content security in particular, to protect the integrity of data even in the event of human error. If you or your organization needs to share sensitive information with persons outside of your organization, I strongly suggest you apply content security to protect you and your organization even in the event of an unlikely mistake.