Nuclear power plant secrets leaked by computer virus, Sophos reports

June 23, 2005 Sophos Press Release

Power plant
Confidential information about power plants has been released onto the internet.

Experts at SophosLabs™, Sophos's global network of virus and spam analysis centers, have reminded internet users of the importance of computer security after media reports revealed that sensitive information about nuclear power plants has been leaked onto the internet from a virus-infected computer.

According to the Japanese press, approximately 40MB of confidential reports, related to nuclear power plant inspections over several years, was leaked from a virus-infected computer belonging to an employee of the Mitsubishi Electric Plant Engineering (MPE). The data is said to have been distributed to users of the Winny peer-to-peer file-sharing system. Winny is the most popular file-sharing network in Japan, with over a quarter of a million users.

According to officials, the leak occurred when a 30-year-old engineer used his personal computer for company business. The PC was infected with an unnamed computer virus which is said to have enabled Winny users across Japan to access the sensitive information. The exposed data included photographs of the insides of the nuclear power plants, and the names and addresses of inspecting engineers.

"It's bad enough when an individual has data stolen from them by a malware attack, but a nuclear power station being the victim is a real cause for concern," said Graham Cluley, senior technology consultant at Sophos. "The fall-out from this breach acts as an unpleasant reminder that all businesses need to take computer security seriously."

Authorities have been quick to reassure the public that it does not believe that the information leaked was directly related to radioactive substances.

Sites referred to in the leaked data include Kansai Electric Power's Mihama nuclear plant and a power station in Tsuruga, as well as pressurised water reactors in Tomari and Sendai.

"If you allow your employees to put sensitive company data onto their own home computers, you are running the risk that they will not be as well defended as the PCs within your organization," continued Cluley. "Security at power plants should be at an all-time high, but it needs to extend beyond the physicality of barbed wire and high walls and encompass information security too."

Sophos recommends companies protect their email gateways, desktops and servers with an automatically updated consolidated solution to defend against the threats of viruses and spam.