National Police Agency computer hacked 46 times through VPN : The Asahi Shimbun

People working from home due to the novel coronavirus pandemic may want to think twice about consulting the National Police Agency about computer security.

The agency failed to stop hackers from breaking into one of its personal computers 46 times between August 2019 and mid-November this year, red-faced officials announced on Nov. 27.

“It’s extremely embarrassing that the NPA was successfully attacked when it should have a computer security system that is unbreachable,” a high-ranking NPA official said.

The breach revolved around the virtual private network (VPN) the agency provides to outside companies that it has dealings with. VPN devices have been in wide use by those working from home because they are used to connect to company computer networks.

The hacking at the NPA stemmed from the theft of IDs and passwords to access the VPN.

The hacked computer was used to exchange contract-related data with outside companies. The VPN allowed those companies to directly access the NPA computer.

NPA officials are confident that the data was not leaked because all exchanges are deleted from the computer after an exchange over a specific contract is concluded.

NPA officials said they learned about the breach from officials at the Metropolitan Police Department.

Since mid-November, a hacking group had posted a list of about 50,000 VPN devices, including the one used by the NPA, on a bulletin board site. Sources said someone tipped off the Metropolitan Police Department about the list and those officials in turn informed the NPA.

The Asahi Shimbun analyzed the list with the help of outside experts and found 5,600 IP addresses in Japan were on it. The number was second only to the 7,700 or so IP addresses in the United States.

Identifying the organizations possessing the IP addresses led to small businesses, local governments and educational institutions in Japan.

One of the educational institutions was Sapporo University in Hokkaido, which on Dec. 4 announced that the ID information of nine employees had been stolen by hackers.

The VPN devices on the list were all manufactured by Fortinet of the United States. In May 2019, the company announced a…