Information leaked on Shizuoka prefecture’s subsidy application site, caused by an unknown bug in a commercial product
In November 2022, in Shizuoka Prefecture, there was a problem with the subsidy application system that supports the cost of countermeasures against rising prices. The contents of the application, such as the bank account and part of the final tax return, have become temporarily viewable by other business operators. The cause was that an unknown bug hidden in a commercial service surfaced. The bug was overlooked due to insufficient testing by Shizuoka Prefecture and JTB, which was commissioned by the prefecture. Shizuoka Prefecture has embarked on a review of its check system for business consignments, including system development.
”I apologize to all the small businesses.” Shinichi Hirayama, Director of the Management Support Division, Commerce and Industry Bureau, Ministry of Economy, Trade and Industry of Shizuoka Prefecture apologizes for the system trouble that occurred on November 28, 2022.
A system problem occurred in the online application system for the Shizuoka Prefecture Small and Medium Enterprise Business Expense Subsidy for Emergency Response to Price Surges. The subsidy is aimed at small and medium-sized enterprises in Shizuoka Prefecture, and provides a portion of the cost of countermeasures against rising prices. For example, a subsidy of up to 500,000 yen up to two-thirds of the target expenses, such as the cost of introducing equipment that improves operational efficiency and saves energy.
For SMEs with poor financial strength, the impact of soaring prices on their management is not small. There was a lot of interest in the system from the corporate side, but system troubles put a damper on such momentum.
Applications that exceed the budget limit immediately after the start
Online application for grants began at 10:00 am on November 28, 2022. After completing the application for use of the application system and the registration of necessary information, companies were able to check their own application details on the system’s “My Page.”
”You can view the application information of other companies.” The Shizuoka prefectural office received a phone call of complaints immediately after the online application started. On my page, there was a problem that the application contents of other companies could be seen. In addition to information such as the business name, address, and phone number, it was possible to view bank accounts, part of tax returns, and identity verification documents.
”This will be a serious incident.” When Takeshi Yamaguchi, director of digital strategy at Shizuoka Prefecture, heard the news, he had an intuition. First of all, in order to prevent the damage from spreading, the Ministry of Economy, Trade and Industry, which is in charge of the subsidy project this time, took the lead in considering how to respond, and at 11:58 am, the online application system was urgently stopped. The total amount requested reached over 1 billion yen, exceeding the original budget of 800 million yen. In a subsequent investigation, the number of devices (number of IP addresses) that may have viewed the application information of other companies reached a maximum of 5228, but as a result, only one company was able to see the application information of other companies. do.