Our approach to information security

Various Measures

Information Security Education

Mitsubishi Electric provides the following education programs to foster a corporate culture that enforces the proper handling of confidential corporate information and personal information.

Education for all employees

An e-learning program on information security is offered once a year to all of the Company’s roughly 50,000 employees, to disseminate thorough knowledge of various issues on information security, including Mitsubishi Electric's policies, the status of information leakage incidents, laws and regulations on the protection of personal information, the Unfair Competition Prevention Act, and security measures (human, physical, technological, and organizational) to be taken by all employees. In addition, we are providing training materials for employees as necessary in response to the rapid increase in telework and to business environment and business models changes based on the growing use of cloud services.

Education corresponding to each career stage

Education on confidential corporate information management and personal information protection is provided to new employees, employees in their twenties and thirties, and newly appointed section managers, so that they may fulfill the roles that are expected of them at each career stage.

Exercises to practice handling spoofed e-mails

As a measure against cyber-attacks, Mitsubishi Electric regularly conduct exercises that allow all employees, including officers, to verify that they know how to handle spoofed e-mails. Employees of affiliates in Japan can participate in this exercise. At overseas affiliates in the Americas, Europe, and China, practice exercises are conducted according to local circumstances under the direction of regional representative managers.

Other individual training

Employees posted overseas are provided with a preliminary education program, which covers risks in confidential corporate information management and personal information protection outside Japan and examples of information leakage incidents that have occurred overseas.

Contractor Management

Confidential corporate information and personal information are entrusted to a contractor only after a proper non-disclosure agreement is concluded between Mitsubishi Electric and the contractor. The agreement stipulates all the security matters that we require. To ensure that confidential corporate information and personal information entrusted to a contractor will be handled with appropriate control, before entrusting the information to the contractor, we confirm that the contractor will maintain the proper level of protection. After submitting the information, we supervise the contractor by regularly examining a status report on the use and management of the information that we have submitted. Moreover, the agreement includes a special clause that provides for the protection of the personal information that we have submitted.

Cyber-Attack Countermeasures

Cyber-attacks have become a major threat for businesses. As they are growing increasingly sophisticated and diverse year-by-year, it is becoming difficult to prevent them. The Mitsubishi Electric Group deploys cyber-attack countermeasures through a multilayered defense consisting of a number of different defense measures stacked on top of each other. Furthermore, there are cyber-attacks that cannot be prevented entirely with a multilayered defense alone. Accordingly, we monitor cyber-attacks and have put in place a system to respond immediately should a case occur, in an effort to prevent or minimize damage.

Internet websites are constantly exposed to many external threats, and so we only launch websites that are approved by Mitsubishi Electric in order to maintain high security level.

Potential for leaks of personal data and confidential corporate information due to unauthorized system access

We sincerely apologize for any inconvenience and/or concern experienced by our customers and society as a result of the potential data leak incident caused by unauthorized system access, as reported in January 2020.

On June 28, 2019, after detecting and investigating suspicious activity involving computer terminals at Mitsubishi Electric, it was determined that data had been taken through unauthorized system access by a third party. The investigation took some time because it was a sophisticated attack that bypassed monitoring and detection measures, and the logs that would have identified the affected files were deleted by the hacker on some terminals. The finding was that personal data and confidential corporate information may have been leaked externally.

The Mitsubishi Electric Group deeply regrets not being able to prevent such a situation, and reaffirms that cyber security is an important management issue as stated in the Cyber Security Management Guidelines of the Ministry of Economy, Trade and Industry of Japan. Going forward, we will deploy stronger and more nimble information security measures globally. The Group has established the Corporate Information Security Division, which is a unified organization under the direct control of the president, in order to continually ascertain and manage risks and prevention measures within the Group. We continue to work on information security measures to prevent any such incident from reoccurring. The Group also shares its knowledge to help society as a whole counter today’s increasingly sophisticated and diversified cyber-attacks.