TOKYO -- The personal information of many Trello task management software users was left visible to anyone online for prolonged periods under the service's settings, it was learned on April 6.
Following the revelations, the Japanese government's National Center of Incident Readiness and Strategy for Cybersecurity issued a warning on its official Twitter account the same day, urging users to change their settings to "private." Meanwhile, fear of personal information leaks has erupted online.
The Mainichi Shimbun confirmed on April 6 that the names, addresses, and phone numbers of those who applied for coronavirus vaccine clinical studies, individuals' and companies' bank account PINs, and job-hunting students' mobile phone numbers and academic backgrounds could be viewed publicly.
Trello is owned by Atlassian, a software company based in Australia, and firms use the service for recruitment and project management, among other purposes. Trello was launched in Japan in February 2018.
Users can choose among the options of making their information "public," "accessible to the team," and "private" in Trello's settings. When the "public" option is chosen, the personal data also appears on Google and other search engines, making it accessible to anyone with a web browser.
In comments to the Mainichi Shimbun, an Atlassian Japan representative insisted that Trello's personal data settings were set to "private" by default. The representative added that "users had most likely changed the option to 'public' on their own," and that the firm has been warning users about the software settings.
Users on Twitter vented their agitation with posts including, "This is disastrous. The leak is much larger than I imagined," and, "It's torture to have your personal information revealed without you knowing about it."
Many tweets called on people to do online searches on themselves, and for the names of "university students who have been job hunting recently." Others, such as one post reading, "I feel extremely sorry for the students whose information is still accessible," voiced concern for job-hunting students.
Other posts from accounts apparently belonging to job hunters revealed intense worry, such as, "I was so frightened that I searched my own name," and "I'm probably safe because my name didn't come up in searches, but until then I was scared to death."
Some Twitter users, meanwhile, wondered "why personal information is being managed in such a place," or suggested that Trello users had switched their settings from the default "private" to "public" on their own. Comments included, "People are using the app badly," and, "Users themselves must have high security awareness."
Among the information made available online was entertainment agencies' location shooting schedules and audition participants' profiles, as well as the names and addresses of underage girls who applied for part-time work. None of this information would have been publicly disclosed under normal circumstances.
The Cabinet Office's National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which has taken a grave view of the matter, issued a statement via their official Twitter account on the afternoon of April 6, which read, "It has been confirmed that on a web service called Trello, which can be utilized by the general public for business management and other purposes, failure to take appropriate measures has resulted in users' information being visible to external parties. In cases where users have no intention of making their information accessible, please take appropriate measures, such as changing settings to 'private'."
Chief Cabinet Secretary Katsunobu Kato said in an April 6 press conference, "We have not been informed of any damage to governmental agencies from the problem at present," and said he intends to keep a close eye on the situation.
(Japanese original by Ran Kanno, Yukinao Kin, Masakazu Yui, Digital News Center and Daichi Matsuoka, Atsuko Motohashi, Business News Department)