JTB Corp., one of Japan’s biggest travel agencies, announced it suffered a data breach during which an unknown party has stolen the personal details of over 7.93 million users.
According to cyber-security firm, the breach took place after one of the company’s employees had opened a malicious Microsoft Word document received as an attachment to a spear-phishing email.
Attackers used PlugX and Elirks malware
The document was laced with the PlugX (Korplug) malware, a remote access trojan (RAT) that granted the attacker access to the employee’s computer.
The spear-phishing email was efficient because it perpetrated to be a travel booking request from All Nippon Airways Co., one of Japan’s air travel companies.
After infecting the employee’s computer with PlugX, the crooks installed the Elirks backdoor trojan that allowed them to steal any data they deemed important.
Attack saw by other security vendors
The details and timeframe of the attack fit perfectly into the discoveries of, who last week, revealed details about multiple cyber-attacks against Japanese businesses using the PlugX and Erliks malware.
Those attacks and the malware were linked to Chinese threat actors. Both are regularly seen in cyber-espionage campaigns but are not solely exclusive to this types of attacks.
Nikkei, a Japanese news agency says that attackers stole user data such as customer names, home addresses, email addresses, passport numbers. Of these, over 4,300 numbers were for valid passwords, a JTB spokesperson confirmed to Nikkei.
“I apologize for causing trouble and worry to our customers and other people concerned,” JTB President Hiroyuki Takahashiin a press conference two weeks ago.
Japanese media hasn’t reported about any of the stolen data being used in fraudulent transactions, but crooks tend to hoard data before using it, which is usually after a few years.