Mitsubishi Electric fosters a corporate culture that enforces the proper handling of confidential corporate information and personal information. For example, in light of data leak incidents caused by unauthorized access to our system, we provide the following education programs to enable employees to ensure the implementation of specific security control measures, such as the server storage and encryption of files according to security levels.
An e-learning program on information security is offered once a year to all of the Company’s roughly 50,000 employees, to disseminate thorough knowledge of various issues on information security, including Mitsubishi Electric's policies, the status of information leakage incidents, laws and regulations on the protection of personal information, the Unfair Competition Prevention Act, and security measures (human, physical, technological, and organizational) to be taken by all employees. In addition, we are providing training materials for employees as necessary in response to the rapid increase in telework and to business environment and business models changes based on the growing use of cloud services.
Education on confidential corporate information management and personal information protection is provided to new employees, employees in their twenties and thirties, and newly appointed section managers, so that they may fulfill the roles that are expected of them at each career stage.
As a measure against cyber-attacks, Mitsubishi Electric regularly conduct exercises that allow all employees, including officers, to verify that they know how to handle spoofed e-mails. Employees of affiliates in Japan can participate in the exercises. At overseas affiliates in the Americas, Europe, and China, practice exercises are conducted according to local circumstances under the direction of regional representative managers.
Employees posted overseas are provided with a preliminary education program, which covers risks in confidential corporate information management and personal information protection outside Japan and examples of information leakage incidents that have occurred overseas.
Confidential corporate information and personal information are entrusted to a contractor only after a proper non-disclosure agreement is concluded between Mitsubishi Electric and the contractor. The agreement stipulates all the security matters that we require. To ensure that confidential corporate information and personal information entrusted to a contractor will be handled with appropriate control, before entrusting the information to the contractor, we confirm that the contractor will maintain the proper level of protection. After submitting the information, we supervise the contractor by regularly examining a status report on the use and management of the information that we have submitted. Moreover, the agreement includes a special clause that provides for the protection of the personal information that we have submitted.
Cyber-attacks have become a major threat for businesses. As they are growing increasingly sophisticated and diverse year-by-year, it is becoming difficult to prevent them. The Mitsubishi Electric Group is implementing two major countermeasures. Along with the wider use of cloud services and the wider adoption of teleworking, we are accelerating the implementation of zero-trust security* measures. For existing IT environments, we are deploying cyber-attack countermeasures through a multilayered defense consisting of a number of different defense measures stacked on top of each other. Furthermore, there are cyber-attacks that cannot be prevented entirely with a multilayered defense alone. Accordingly, we monitor cyber-attacks and have put in place a system to respond immediately should a case occur, in an effort to prevent or minimize damage.
Internet websites are constantly exposed to many external threats, and so we only launch websites that are approved by Mitsubishi Electric in order to maintain high security level.
Regrettably, another data leak incident was caused again by unauthorized system access despite our ongoing efforts to strengthen security. We sincerely apologize for any inconvenience and/or concern experienced by our customers and society as a result of these incidents, as reported in January 2020 and today in November 2020.
On November 16, 2020, a newly deployed cloud monitoring system detected suspicious access to one of the cloud services to which Mitsubishi Electric subscribes and it was confirmed that the bank account information of our domestic suppliers was leaked. This unauthorized access to the cloud was performed at a related company in China by intruding to the network and stealing the credentials of some Mitsubishi Electric Group employees to access the cloud.
To prevent recurrence, Mitsubishi Electric strengthens the monitoring of the cloud service that was accessed illicitly and accelerates the implementation of zero-trust security measures. In addition, the Mitsubishi Electric Group as a whole strengthens security measures through comprehensive multilayered protection, such as the strengthening of domestic and overseas network access controls, endpoint security measures, and monitoring and authentication platforms. Going forward, we will continuously work to strengthen security in coordination with relevant authorities.