Japan Institute for CyberSpace Studies

Login

[#2 Issue]   Cross-Sector Cyber Incidents and Governance Shifts in Japan February 2026 Review

Mid-January – February 2026

This report summarizes publicly disclosed cybersecurity-related incidents and policy developments in Japan during the above period.

1. Cybersecurity Incidents

Trend 1 | Ransomware

Nippon Medical School Musashikosugi Hospital (Feb 13) A suspected ransomware attack affected internal hospital systems. Approximately 10,000 patient records were reportedly exposed.
Hospitals in Japan are designated as critical infrastructure under the national cybersecurity framework.

GALA Yuzawa Ski Resort (Feb 12) A suspected ransomware attack on the lift ticketing system may have exposed personal data of up to 1,518 customers. The incident highlights that mid-sized regional operators are also reporting cybersecurity incidents.

Omnibus Japan (Feb 13) The company issued its fourth disclosure regarding a ransomware attack first detected in December 2025. The firm operates within Japan’s media and entertainment sector.

Advantest Corporation (Feb 19 disclosure) Advantest, a Tokyo Stock Exchange Prime-listed company and a major global manufacturer of semiconductor test equipment, reported detecting a ransomware attack on February 15 (JST). Investigation into the scope and impact remains ongoing.

Asahi Group Holdings (Feb 18 investigation report) Asahi Group Holdings, a multinational beverage company headquartered in Japan, published investigation findings related to a ransomware attack first disclosed in September 2025. Confirmed data exposure totaled 115,513 records.

Hosokawa Micron Corporation (Feb 2 detection / Feb 20 publication confirmation) The company confirmed a possible cyberattack. A ransomware group claimed exfiltration of 30GB of data, and partial publication was later confirmed.

>Context

The affected entities span healthcare, manufacturing, semiconductor supply chains, leisure services, and media. Japan’s corporate structure includes a high number of mid-sized firms and globally integrated manufacturers, many of which operate across complex supply chains. Public disclosures during this period indicate continued cross-sector exposure to ransomware activity.

Trend 2 | Cloud and Access Control Incidents

Mynavi Corporation (Feb 12)
Unauthorized access to a cloud service used by a major employment platform.

CyberAgent (Feb 12)
Cloud configuration error allowed unintended cross-user data visibility.

CAC Corporation (Feb 12) 
Unauthorized access to a grants and donations management system.

Shinsia Co., Ltd. (Late January)
External unauthorized system access confirmed.

>Context

Cloud adoption in Japan has accelerated over the past decade, particularly among large enterprises and digital service providers. Several incidents during this period involved either external access to cloud-hosted systems or internal configuration errors. As in other jurisdictions, shared-responsibility security models continue to present operational challenges.

Trend 3 Insider-Related Incidents

Nippan Group Holdings (Feb 13)
Former employee forwarded internal emails externally.

Manufacturing sector arrest (Feb 11)
Hiroshima Prefectural Police arrested a former employee on suspicion of copying engineering drawings to external storage.

Dai-ichi Life Insurance Group (Feb 12)
Information management issue involving staff seconded to an agency partner.

Japan Airlines baggage delivery service (Feb 10 disclosure / Feb 20 clarification)
Initially disclosed as suspected unauthorized access; later investigation determined contractor error and log alteration. No confirmed data exfiltration.

>Context

Japan’s corporate ecosystem is characterized by extensive subcontracting, secondment arrangements, and group-company networks. Several incidents during this reporting period involved individuals with legitimate access credentials, including former employees and contractors. Law enforcement has continued to pursue cases involving alleged technical data removal.

Trend 4 | AI-Related Developments

  • In 2025, Japanese police arrested minors who had reportedly used generative AI tools in the development of unauthorized access tools.
  • In August 2025, European security firm ESET disclosed a malware variant that incorporated real-time queries to external AI services.
  • Japan’s Information-technology Promotion Agency (IPA) included AI-related cyber threats in its annual “Top 10 Information Security Threats 2026” — reflecting growing institutional recognition of AI as an attack enabler.

>Context

Japanese authorities and industry bodies have begun referencing AI-assisted techniques in both criminal investigations and threat reporting. IPA’s inclusion of AI-related risks reflects growing institutional awareness of generative AI’s potential misuse.

2. Policy Developments

Act on Prevention of Damage Caused by Unauthorized Acts against Critical Electronic Computers (Active Cyber Defense Legislation) Enacted May 16, 2025; promulgated May 23, 2025. To be implemented in phases within 18 months of promulgation (by November 2026), with full operational deployment targeted for fiscal year 2027. The legislation expands legal authorities to enable detection of and response to attack precursors on an ongoing peacetime basis. The National Police Agency will handle initial response; for sophisticated, organized attacks by foreign actors, a framework is envisioned in which the Self-Defense Forces also participate under Prime Ministerial directive and the command of the Minister of Defense.

National Cybersecurity Strategy Emphasizes public-private information sharing, early detection of attack precursors, and cross-sectoral coordination across critical infrastructure. The NCO (National Cyber Office), established on July 1, 2025 through the reorganization of NISC, serves as the central coordinating body. Note that “threat hunting” is not a statutory term; the activity is formally defined in legislation as the monitoring and analysis of communications information for the purpose of detecting attack precursors.

IT Vendor Accountability Guidelines A guideline aimed at clarifying the division of cybersecurity responsibilities between the government and critical infrastructure operators on one hand, and IT service providers on the other, is slated for finalization within fiscal year 2025. A draft — the “Guidelines on Required Roles of Cyber Infrastructure Operators (Draft)” — was released for public comment in October 2025, and work on finalization is ongoing. “IT Vendor Accountability Guidelines” is an unofficial, colloquial name.

JC-STAR IoT Security Labeling Scheme Launched March 25, 2025. Products are evaluated on a four-tier scale of one to four stars. Based on a Japan-UK memorandum of understanding concluded in November 2025, products certified at the ★1 level are deemed compliant with the technical requirements of the UK’s PSTI Act effective January 1, 2026 (mutual recognition applies to ★1 only). Discussions with the United States, EU, Singapore, and others are ongoing.

Counter-Espionage Legislation (Intelligence and Counter-Espionage Related Laws) A joint policy agreement between the LDP and Ishin, concluded in October 2025, explicitly calls for “prompt drafting and passage” of relevant legislation. Following the continuation of the same coalition government after the 2026 general election, Prime Minister Takaichi has expressed strong intent for early enactment, and the government officially confirmed the commencement of deliberations in February 2026. Reports indicate that an advisory panel of experts is to be established this summer, though the timeline for legislation remains undetermined and drafting work is in its early stages. It should be noted that this is a comprehensive legal framework encompassing defense and diplomatic secrets as well as foreign agent registration requirements, and is not limited to “economic espionage countermeasures.”

>Context

Japan has historically taken a relatively cautious approach to legal measures in cyberspace, placing significant weight on consistency with constitutional protections such as the secrecy of communications. Active cyber defense represents a major shift in statutory authority within that framework. The multiple policy measures described above are either in the process of phased implementation or remain under ongoing policy deliberation.

3. International Cooperation

  • Continuation of Japan-U.S. cyber exercises and policy coordination (including the Japan-U.S. Cyber Defense Policy Working Group)
  • Capacity building, information sharing, and joint exercises through the QUAD Cybersecurity Working Group
  • JC-STAR mutual recognition with the United Kingdom (★1 level; effective January 1, 2026)
  • Cyber cooperation with NATO (participation in Locked Shields exercises; cybersecurity designated as a priority area under the ITPP framework)
  • Continued engagement with the EU and ASEAN on cybersecurity

>Context

Japan’s international cooperation in cyber policy is organized around two broad axes. The first centers on regulatory harmonization and mutual recognition with the United States, the EU, and NATO. The second focuses on capacity building, information sharing, and joint exercises with countries across the Asia-Pacific region through frameworks such as QUAD and ASEAN. On the JC-STAR front, mutual recognition with the United Kingdom has been realized, and negotiations with Singapore and other regional partners are ongoing; however, compared to the regulatory harmonization achieved with Western counterparts, engagement at the regional level remains a work in progress. Taken together, these efforts form part of a broader international movement toward greater interoperability of digital security standards.Continued Japan–US cyber exercises and coordination activities.

Overall Snapshot

Public disclosures from mid-January through February 2026 reveal incidents across multiple sectors and organizational types, while concurrent policy developments point to continued expansion of Japan’s cybersecurity governance framework — with implementation milestones running through late 2026.

Information is based on publicly available sources as of February 28, 2026.

[JICSS Exclusive]
Expert Commentary By:

Nate Snyder / JICSS Special Advisor

Bio

Mobilizing Global Knowledge: Defining Japan’s Authentic Cyber Path

I served as a senior national security official in Obama-Biden and Biden-Harris Administrations.  In those roles I addressed numerous threats that the U.S. and her allies faced.  These threats ran the gamut from foreign and domestic terrorists and their use of technology to carry out attacks, to critical infrastructure protection and ensuring that U.S. communities and allies across the globe had the ability to identify and mitigate threats on an ever-changing landscape.  

Doing so meant that you needed to consistently assess a dynamic and sometimes asymmetric environment, but most importantly, that adaptation is a must.  Sometimes that meant making tough decisions, breaking out of comfort zones by taking risks, asking tough questions, pushing transformation within established institutions, forming unlikely partnerships, and at times even failing.  I have joined JICSS at what feels like a crucial moment for Japan, and I am hopeful that I can take those lessons and impart them on a trusted ally.    

Since joining JICSS in 2025, I’ve been closely immersed in Japan’s cybersecurity landscape.  As covered in our curated news aggregation and analysis, the constant stream of security incidents has only intensified since the start of 2026.  Given this environment, I feel there is special significance in compiling and delivering valuable curated information and insights through the JICSS platform.  I see this also as a great opportunity to engage with our readers, subscribers, and members through this effort as a very positive but necessary undertaking.  

Japan has always been exceptional at innovation—refining, perfecting, and doing things better than anyone else. But today’s cybersecurity challenges are moving faster than traditional approaches can handle. The threats are real and growing, from critical infrastructure vulnerabilities and state and non-state threat actors (PRC, DPRK, RUS), to regional security challenges that affect everyone from consumers to government.

Japan’s greatest transformations—the Meiji era, the post-war miracle—happened when global expertise met Japanese leadership and dynamism. Not by abandoning what makes Japan special, but by amplifying it. That’s exactly what we’re building at JICSS.

Our mission is straightforward but urgent: partner with Japanese leaders to develop cybersecurity solutions that are both world-class and authentically Japanese. Solutions that tackle real threats while respecting the culture and values that matter. We’re not here to import foreign models—we’re here to help mobilize the best global knowledge in service of Japan’s security and resilience.

This charge we have at JICSS is no small undertaking.  It is clear that the norms and long established conventional wisdom are changing in the region as well as globally.  We are seeing the cyber attack surface change overnight, new threats and trends emerge, but also new opportunities to explore and new partners to enlist.  This is very much an introduction, however, I am looking forward to working with the JICSS community to shed light on how we can take these challenges on together.  I am also hoping that with your participation we will be able to drive this vital conversation.  So, please watch this space, we will have more analysis, information, expertise, and engagement to share. I am looking forward to it. Onward.

Disclaimer:

This report is based on publicly available information as of February 28, 2026. Information may be subject to change as investigations and policy developments continue. The content is provided for informational purposes only.

Share the Post:

Related Posts

Login

Please log in below.

Close

Privacy Policy

The Japan Institute for CyberSpace Studies (hereinafter referred to as "JICSS") has established the following privacy policy (hereinafter referred to as "the Policy") regarding the handling of personal information of users in the services provided on this website (hereinafter referred to as "the Services").

Article 1 (Personal Information)
“Personal information” refers to "personal information" as defined in the Act on the Protection of Personal Information, and includes information about living individuals that can be used to identify specific individuals by name, date of birth, address, telephone number, contact information, and other descriptions, as well as data related to appearance, fingerprints, voiceprints, and health insurance card insurer numbers.

Article 2 (Method of Collecting Personal Information)
When you submit an inquiry form, JICSS will obtain your name and e-mail address.

Article 3 (Purpose of Collection and Use of Personal Information)
The purposes for which JICSS collect and use personal information are as follows

To provide and operate our services
To respond to inquiries from users (including identification)
To send e-mail notifications of new features, updates, campaigns, etc. of the service the user is using, as well as information on other services provided by the Company.
To contact you as necessary for maintenance, important notices, etc.
To identify users who violate the Terms of Use or who attempt to use the service for illegal or unjust purposes, and to refuse their use of the service.
To allow users to view, change, or delete their own registration information, or to view the status of their use of the service.
To bill users for paid services.
For purposes incidental to the above purposes of use

Article 4 (Change of Purpose of Use)
JICSS shall change the purpose of use of personal information only when it is reasonably recognized that the purpose of use is related to the purpose of use before the change.
In the event of a change, JICSS shall notify the User of the changed purpose or publicly announce it on this website in a manner prescribed by JICSS.

Article 5 (Provision of Personal Information to Third Parties)
Except in the following cases, JICSS will not provide personal information to a third party without the prior consent of the user. However, this excludes cases permitted under the Personal Information Protection Law and other laws and regulations.
When it is necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the consent of the individual.
When the provision of personal information is especially necessary for improving public health or promoting the sound growth of children, and it is difficult to obtain the consent of the individual concerned.
When it is necessary to cooperate with a national agency, a local government, or an individual or entity entrusted by either a national agency or local government to execute affairs prescribed by law, and obtaining the consent of the individual is likely to impede the execution of such affairs.
When we have notified or announced the following matters in advance, and when we have notified the Personal Information Protection Committee
The purpose of use includes provision to a third party
Data items to be provided to the third party
Means or method of provision to third parties
Cessation of provision of personal information to third parties at the request of the individual
The method of accepting the request of the person in question
Notwithstanding the provisions of the preceding paragraph, in the following cases, the party to which the relevant information is provided shall not fall under the category of a third party.
(i) When we outsource all or part of the handling of personal information within the scope necessary for the achievement of the purpose of use
When personal information is provided as a result of the succession of business due to a merger or other reasons
When personal information is used jointly with a specific person, and the Company notifies the person in advance or makes the information readily accessible to the person in advance to that effect, the items of personal information jointly used, the scope of joint use, the purpose of use by the person using the information, and the name of the person responsible for managing the personal information Article 6 (Disclosure of Personal Information)

Article 6 (Disclosure of Personal Information)
When requested to disclose personal information by the person in question, JICSS will disclose such information to the person without delay. However, if JICSS decides not to disclose the personal information, it will notify the individual to that effect without delay. A fee of 1,000 yen will be charged for each case of disclosure of personal information.
When there is a risk of harm to the life, body, property, or other rights or interests of the person concerned or a third party
If there is a risk of significant hindrance to the proper conduct of our business
If it violates any other laws or regulations.
Notwithstanding the preceding paragraph, in principle, JICSS will not disclose information other than personal information, such as historical information and characteristic information.

Article 7 (Correction and Deletion of Personal Information)
If the User's personal information held by JICSS is incorrect, the User may request JICSS to correct, add, or delete (hereinafter referred to as "correct, etc.") his/her personal information in accordance with procedures determined by JICSS.
If we deem it necessary to respond to the request from the user as described in the preceding paragraph, we will make the correction, etc. to the relevant personal information without delay.
In the event that JICSS makes corrections, etc. based on the preceding paragraph, or decides not to make such corrections, etc., JICSS will notify the User of such decision without delay.

Article 8 (Suspension of Use of Personal Information)
When we receive a request from a user to stop using or delete (hereinafter referred to as "stop using, etc.") his/her personal information on the grounds that it has been handled beyond the scope of the purpose of use or that it has been obtained by wrongful means, we will conduct the necessary investigation without delay.
If, based on the results of the investigation described in the preceding paragraph, we determine that it is necessary to comply with the request, we will suspend the use of the relevant personal information without delay.
When JICSS suspends the use of personal information in accordance with the preceding paragraph or decides not to suspend the use of personal information, JICSS will notify the user of this decision without delay.
Notwithstanding the preceding two paragraphs, in cases where the suspension of use involves a large amount of cost or it is otherwise difficult to suspend the use of personal information, and alternative measures can be taken to protect the rights and interests of the user, these alternative measures shall be taken.

Article 9 (Changes to Privacy Policy)
The contents of this Privacy Policy may be changed without notice to the User, except as otherwise provided by law or other regulations.
Unless otherwise specified by the Company, the revised Privacy Policy shall take effect from the time it is posted on the Website.

Article 10 (Contact for Inquiries)
Inquiries regarding this policy should be directed to the following contact

Close

Commercial Disclosure

Legal Name The Japan Institute for CyberSpace Studies (JICSS), also registered as 一般社団法人 サイバー空間総合研究所.

Representative Our operations are led by our Director, Terutaka Kawabata.

Address Our headquarters are located at the Ginza Main Office: 4F Ginza KR II Bldg, 2-15-2 Ginza, Chuo-ku, Tokyo 104-0061, Japan.

Contact Information For inquiries, please contact us via email at info@jicss.org or by phone at +81 3 6281 5152. Our telephone support is generally available during standard business hours (10:00–17:00 JST), excluding weekends and public holidays.

Pricing and Additional Fees Service prices and membership dues are clearly displayed on the respective registration or checkout pages. There are no additional hidden fees for digital services; however, any bank transfer fees or internet connection costs remain the responsibility of the customer.

Payment Methods and Timing We accept payments via Credit Card (processed through Stripe) and Bank Transfer. Credit card payments are processed immediately at the time of purchase. For bank transfers, payment is required within 7 days of the order.

Delivery of Services Digital memberships and access to research materials are provisioned immediately upon successful completion of the payment process.

Cancellations and Refunds Due to the nature of digital content and immediate access to membership benefits, we generally do not offer refunds once a transaction is completed. You may cancel your membership at any time to prevent future billing through your account settings, but previous payments are non-refundable.