The NTT Insider Breach: 9.28 Million Records, One Privileged Account, Ten Years

Part of our guide to Japan’s cybersecurity landscape. For the regulatory map behind it, see Japan’s Cybersecurity Laws & Guidelines.

Most breach stories foreign teams hear about Japan involve external attackers. This one didn’t. At an NTT subsidiary, a single trusted insider with a privileged account quietly removed 9.28 million customer records belonging to 69 client companies over roughly ten years — and it was not the company’s controls that caught him. It was the police.

I work in information security at a Japanese enterprise (CISSP, CCSP, and a Registered Information Security Specialist in Japan), and this case is one I keep coming back to, because every control that should have stopped it is one a foreign team would assume was already in place.

What happened

The affected entity was NTT Business Solutions, a subsidiary in the NTT West group, with the leaked data tied to call-center operations for NTT Marketing Act ProCX. A former dispatched (temporary) worker, engaged in operation and maintenance of the customer-data systems, abused a system administrator account — a privileged ID — to access a server holding customer information (NTT Business Solutions; Nikkei xTECH).

The mechanics were mundane, which is exactly the point:

• The worker downloaded customer-data files from the server to a maintenance terminal, then copied them out using a personal USB memory device.
• Exfiltration ran from approximately July 2013 to January 2023 — the worker had been on site since June 2008.
• The data — names, addresses, phone numbers — was passed to a name-list broker, drawing a police investigation under the Unfair Competition Prevention Act.
• Initial disclosure (October 2023) cited around 9 million records; subsequent investigation revised the figure to 9.28 million records across 69 client companies.
• A client flagged a possible leak in April 2022, but it was not detected then. The breach surfaced through a police investigation beginning July 2023 (Nikkei).

The Personal Information Protection Commission (PPC) subsequently issued a recommendation — a notable step, since PPC formal recommendations are not routine.

Why it went undetected for a decade

This is where I want foreign security leaders to slow down, because the failure was not exotic. It was the predictable result of trusting a privileged insider and not instrumenting that trust.

The privileged account was the whole game. A system administrator ID is, by design, allowed to touch the data. So the access generated no “unauthorized access” alarm — there was nothing unauthorized about a sysadmin reading the database he maintained. This is the blind spot in controls built to stop outsiders: they say nothing about an insider doing exactly what his role permits, for the wrong reason.

Three control objectives, all familiar from any security framework, were effectively absent:

• Least privilege. A maintenance role did not need standing, broad read access to ten years of customer records. “Operations needs admin” is where least privilege quietly dies.
• Measurement. Ten years of bulk downloads to a maintenance terminal, and exfiltration to removable media, produced no signal anyone acted on. If you cannot see privileged-account data movement, you cannot manage it — and “we assumed maintenance was fine” is not management.
• Failure-tolerant design. The model relied on the insider not abusing trust. Anything that can fail through human action eventually does. The system had no layer that assumed the trusted person had already gone wrong.

The client’s 2022 report is the detail that haunts me. There was a signal. The organization could not connect it to the activity, because it had no telemetry on what its privileged accounts were actually doing.

The Japan-specific dimension foreign teams miss

What makes this an Only-in-Japan-shaped lesson is the multi-layered contractor structure. The actor was a dispatched worker (派遣) operating inside a subsidiary (NTT Business Solutions) that handled data on behalf of another group company’s clients. Personal data, the operational systems, the worker’s employer, and the data’s legal owner sat in four different boxes.

This layered staffing model — prime contractor, subsidiary, dispatch agency, client — is extremely common in Japanese enterprise IT, and it diffuses accountability for privileged access. Foreign companies running operations in Japan through local subsidiaries and staffing agencies inherit exactly this structure, often without realizing that “our vendor’s dispatched engineer has admin on the system holding our customers’ data” is a sentence that should stop a CISO cold.

It also intersects with Japan’s APPI breach-notification duties: a leak of this nature, scale, and improper purpose squarely triggers PPC reporting obligations.

Design lessons for security teams operating in Japan

Not a checklist of blame — a practitioner’s takeaways:

• Treat privileged accounts as the primary risk, not the trusted exception. Inventory every standing admin/maintenance ID that can read production personal data, including those held by dispatched and subcontracted staff.
• Enforce least privilege on operations roles. Just-in-time, time-boxed elevation beats standing admin. Maintenance rarely needs permanent bulk-read access.
• Instrument privileged data movement. Bulk reads, exports, and removable-media writes by admin accounts must generate signals someone owns and reviews. Measurement is the control.
• Control removable media on maintenance terminals. USB exfiltration is a solved problem only where someone decided to solve it.
• Map your Japanese contractor chain. Know which external/dispatched personnel hold privileged access to your regulated data, and who is accountable when they abuse it.
• Assume the trusted insider has already gone wrong, and design the layer that would catch it.

The bottom line

This was not a sophisticated attack. It was standing privilege, no measurement, and a decade of misplaced trust — caught by police, not controls. For any organization operating in Japan through subsidiaries and dispatched staff, the uncomfortable question is simple: do you know what your privileged accounts — including your contractors’ — are doing right now? If the answer is “we assume it’s fine,” you have the same exposure NTT did.

For the regulatory obligations a breach like this triggers, see the pillar guide and the APPI guide.

References

• Notice on improper data exfiltration by a former dispatched worker (apology) (NTT Business Solutions, confirmed 2026-06-11)
• Follow-up notice (NTT Business Solutions, confirmed 2026-06-11)
• NTT West subsidiary failed to prevent 9-million-record exfiltration by former dispatched worker (Nikkei xTECH, confirmed 2026-06-11)
• Former NTT West subsidiary worker leaked 9 million personal records, also to a list broker (Nikkei, confirmed 2026-06-11)