Japan’s “Privacy Mark” system had a serious security breach in Aug 2023, and its operator JIPDEC (Japan Information Technology and Social Promotion Association) announced the results of an investigation into the matter. 🕵🏻‍♂️

When companies implement P-Mark, there are a number of requirements to be met, similar to what organizations go through when trying for an ISO certification. Reviewers for JIPDEC are responsible for auditing the certification applications, and one such reviewer had saved review documents on an unsecured personal NAS. A P-Mark holder contacted JIPDEC saying review documents were visible on the internet. That had to sting.

The subsequent investigation showed that leaked information included review documents for applicants, emails and addresses variously of staff, applicants and certification holder companies.

It’s obviously a grave situation for a standards organization to be caught with their proverbial pants down like this, but to JIPDEC’s credit they are showing how seriously they are taking it by banning reviewers from using personal devices for performing reviews. At least it’s a step in the right direction.

Quis custodiet ipsos custodes? In the case of JIPDEC, I guess their customers do. I wish them well while they, um, re-apply for their own P-Mark cert. 😅

JIPDEC PrivacyMark logo and marketing blurb.