A Japanese Health Insurance Society Web Site Kosmo Communication Web Vulnerable to POODLE

Every Japanese company has its own health insurance society for employees and some IT vendors provide cloud services that naturally contains employee’s sensitive personal information, such as when you are prescribed medicine in which pharmacy.

One of such self service health insurance web portals is still vulnerable to POODLE attack found four years ago. The web portal, called Kosmo Communication Web, is provided by Daiwa Institute of Research Business Innovation, affiliate of Daiwa Securities.

Why I found this web site is vulnerable? That’s because I’m a user of this sevice. I’m working for the company, listed on Tokyo Stock Exchange first section, which is using this cloud service.

The English promotion page of Kosmo Communication Web doesn’t provide useful information while Japaneses page says more than four hundreds Japanese companies uses this cloud service to manage their employees medical history.

When you search the keywords “Kosmo web”, you will find several Japanese large companies use this cloud sevice.

This service doesn’t provide option of two factor authentication for employees to protect their sensitive data. However, the data processor Daiwa Institute of Research Business Innovation is certified with ISO27001 and provides several services concerning securities, banking and asset management.

My company doesn’t allow employees to stop processing their sensitive data on this service and didn’t request employees consents before implementing this cloud service.

This is one example of processing personal sensitive data in Japanese large companies.