Found a phishing URL? Shut it down instantly with one click. No contracts, no waiting—take control & DX your anti-phishing now! 🚀 Learn More

NTT Communications Data Breach: Over 17,000 Corporate Clients Affected in Major Security Incident

NTT Communications Data Breach: Over 17,000 Corporate Clients Affected in Major Security Incident

March 14, 2025

In February 2025, NTT Communications suffered a significant security breach, leading to the possible exposure of contract information from approximately 17,891 corporate clients. This breach underscores the growing threats to Japan’s telecommunications sector and highlights the need for stronger cybersecurity measures.

Incident

Overview of the Attack

On February 5, 2025, NTT Communications’ cybersecurity team detected suspicious activity within its internal Order Information Distribution System (System A). Initial mitigation actions were taken the same day by restricting access to the affected system.

Further investigation revealed that by February 6, 2025, unauthorized access had led to the potential leakage of some internal information. On February 15, 2025, another compromised system (System B) was identified within the internal network, prompting an immediate network isolation of the affected asset.

Details of the Leaked Information

The breach may have impacted corporate clients subscribed to various business services, though NTT DoCoMo’s enterprise mobile contracts are confirmed to be unaffected.

Potentially Exposed Information:

  1. Total Affected Companies: 17,891
  2. Leaked Data Types:
    1. Contract number
    2. Company name (contract holder)
    3. Customer representative name
    4. Phone number
    5. Email address
    6. Address
    7. Service usage details

At this stage, NTT Communications has not disclosed how attackers infiltrated the systems or whether any credentials or privileged accounts were exploited.

Attackers' Claims

No known hacker group has publicly taken responsibility for the attack, and no ransom demands have been reported. There is also no evidence, as of yet, that the stolen data has been sold or leaked on dark web forums.

Company Response and Prevention Measures

NTT Communications has notified the relevant authorities and has begun contacting affected customers individually through its sales representatives or official letters.

The company is currently implementing enhanced security measures, including:

  1. Strengthening cybersecurity monitoring and response
  2. Reviewing access control policies
  3. Improving intrusion detection mechanisms
  4. Conducting internal cybersecurity training

MITRE ATT&CK Analysis

Tactic (Category) Technique Description Evidence in NTT Com Case
Initial Access T1566.001 - Phishing: Spearphishing Attachment Attackers may have sent targeted phishing emails containing malicious attachments to gain access. Possible – Not confirmed, but phishing is a common entry method.
Initial Access T1078.004 - Valid Accounts: Cloud Accounts Use of stolen credentials to access internal systems. Possible – Attackers infiltrated critical internal systems, possibly via compromised accounts.
Execution T1204.002 - User Execution: Malicious File Execution of a malicious file by a user. Not Confirmed – No official statement on malware involvement.
Persistence T1078 - Valid Accounts Use of stolen credentials for long-term access. Possible – The attack persisted undetected for an extended period.
Privilege Escalation T1068 - Exploitation for Privilege Escalation Exploiting system vulnerabilities to gain higher privileges. Not Confirmed – No vulnerability exploitation reported.
Defense Evasion T1562.001 - Disable or Modify Tools: Disable Security Tools Attackers may have disabled security monitoring tools to evade detection. Not Confirmed – Attack remained undetected until suspicious activity was flagged.
Credential Access T1555.003 - Credential Dumping: Windows Credentials Extracting credentials from memory or databases. Possible – Access to multiple systems suggests credentials were compromised.
Discovery T1018 - Remote System Discovery Attackers explore internal network systems. Likely – The attackers compromised at least two separate internal systems.
Lateral Movement T1021.001 - Remote Services: Remote Desktop Protocol Attackers spread through the network via RDP. Possible – Attackers infiltrated multiple internal devices.
Collection T1560 - Archive Collected Data Attackers archive stolen data for exfiltration. Possible – No direct evidence, but data leakage suggests collection.
Exfiltration T1041 - Exfiltration Over C2 Channel Data is exfiltrated via a Command & Control (C2) server. Possible – Information leakage confirms data left the network.
Impact T1485 - Data Destruction Attackers delete logs or destroy data to erase evidence. Possible – No confirmation from NTT Communications.

Disclosure Timeline

Date Event
February 5, 2025 Suspicious activity detected in System A; initial mitigation actions taken.
February 6, 2025 Unauthorized access and potential data leakage confirmed.
February 15, 2025 System B identified as compromised; network isolation measures implemented.
March 5, 2025 NTT Communications publicly announces the breach.
March 11, 2025 Affected corporate clients are notified individually.

Analysis

This incident exposes the vulnerability of NTT Communications—a leading Japanese telecom giant—to cyberattacks. Despite being lauded for technological prowess, Japanese companies consistently underinvest in cybersecurity and lack a true sense of urgency.

Alarmingly, a firm of NTT Com’s stature leaked data from 17,000 corporate customers. As a pillar of Japan’s telecommunications infrastructure, NTT Group should be impenetrable. Yet, unauthorized access was permitted with shocking ease, revealing a catastrophic failure in internal security monitoring.

Compounding the issue is the entrenched culture of concealment. Japanese firms have a history of downplaying breaches by delaying disclosure and minimizing impact. NTT Com’s current “investigation” raises doubts that the actual leak might be far more extensive than reported.

Moreover, many Japanese companies mistake ransomware attacks for the sole threat, ignoring the insidious risk of silent data theft. By the time unauthorized access is detected, stolen data may already be traded on dark markets, imperiling entire supply chains and making traceability nearly impossible.

NTT Com’s failure is a harbinger. Many Japanese companies assume they are safe if not directly targeted, neglecting basic countermeasures. Consequently, the next victim is likely to be one of NTT Com’s partners—or any company dependent on Japan’s telecom infrastructure.

In summary, NTT Com’s delayed response and lax security are unacceptable. Unless Japanese enterprises confront this reality and radically improve their cybersecurity, they risk not only further data breaches but also a significant erosion of international credibility and competitive edge.

References

  1. NTT Communications Official Website: https://www.ntt.com/
  2. NTT Communications Press Release: "Regarding Unauthorized Access to NTT Communications," NTT Communications, March 5, 2025, https://www.ntt.com/about-us/press-releases/news/article/2025/0305_2.html
  3. https://attack.mitre.org/