Nippon Steel Solutions, a provider of cloud and cybersecurity services and a subsidiary of Japan’s Nippon Steel, recently disclosed a significant data breach. The incident stemmed from a sophisticated cyberattack where malicious actors exploited a previously unknown, “zero-day” vulnerability within the company’s internal network equipment. This breach led to unauthorized access to their systems, raising concerns about the potential exposure of sensitive personal data.
The company’s security teams first detected suspicious activity on March 7, 2025, and promptly isolated the affected server to prevent further compromise.
A subsequent investigation confirmed that the zero-day attack on their network infrastructure was the root cause, leading to unauthorized access and the potential exfiltration of personal data. Notably, Nippon Steel Solutions affirmed that their cloud services, which are distinct from the breached internal network, remained unaffected by this incident.
In response to the breach, Nippon Steel Solutions issued a public apology, acknowledging the “great inconvenience and concern” caused to their business partners and other stakeholders. They detailed immediate actions taken, including restricting external access and collaborating with external cybersecurity specialists to investigate the intrusion, assess the full scope of the impact, and analyze the underlying causes.
The company also confirmed they are working with business partners to implement necessary remediation measures.
The compromised information encompasses a range of personal data, including names, company affiliations, job titles, addresses, and business email addresses for customers, partners, and employees. Specifically, customer data includes company name, affiliation, job title, company address, business email, and phone number. Partner data includes name and business email addresses (company domain). Employee data includes name, department, position, and business email address. While Nippon Steel Solutions stated there is no current evidence of the data appearing on social media or the dark web, they recommend vigilance against suspicious communications.
Nippon Steel Solutions has taken comprehensive steps following the breach, including consulting with and notifying the police, and submitting a required report to the Personal Information Protection Commission. With guidance from external experts, they have isolated and rebuilt the compromised devices, strengthened exit measures, and enhanced behavior detection protocols to restore the security of their internal network. This data breach also comes at a notable time, coinciding with Nippon Steel’s ongoing acquisition of US Steel.
Reference:
