NTT Communications Data Breach: Over 17,000 Corporate Clients Affected in Major Security Incident
March 14, 2025
In February 2025, NTT Communications suffered a significant security breach, leading to the possible exposure of contract information from approximately 17,891 corporate clients. This breach underscores the growing threats to Japan’s telecommunications sector and highlights the need for stronger cybersecurity measures.
- Incident
- MITRE ATT&CK Analysis
- Disclosure Timeline
- Analysis
- References
Table of Contents
Incident
Overview of the Attack
On February 5, 2025, NTT Communications’ cybersecurity team detected suspicious activity within its internal Order Information Distribution System (System A). Initial mitigation actions were taken the same day by restricting access to the affected system.
Further investigation revealed that by February 6, 2025, unauthorized access had led to the potential leakage of some internal information. On February 15, 2025, another compromised system (System B) was identified within the internal network, prompting an immediate network isolation of the affected asset.
Details of the Leaked Information
The breach may have impacted corporate clients subscribed to various business services, though NTT DoCoMo’s enterprise mobile contracts are confirmed to be unaffected.
Potentially Exposed Information:
- Total Affected Companies: 17,891
- Leaked Data Types:
- Contract number
- Company name (contract holder)
- Customer representative name
- Phone number
- Email address
- Address
- Service usage details
At this stage, NTT Communications has not disclosed how attackers infiltrated the systems or whether any credentials or privileged accounts were exploited.
Attackers' Claims
No known hacker group has publicly taken responsibility for the attack, and no ransom demands have been reported. There is also no evidence, as of yet, that the stolen data has been sold or leaked on dark web forums.
Company Response and Prevention Measures
NTT Communications has notified the relevant authorities and has begun contacting affected customers individually through its sales representatives or official letters.
The company is currently implementing enhanced security measures, including:
- Strengthening cybersecurity monitoring and response
- Reviewing access control policies
- Improving intrusion detection mechanisms
- Conducting internal cybersecurity training
MITRE ATT&CK Analysis
| Tactic (Category) | Technique | Description | Evidence in NTT Com Case | ||
|---|---|---|---|---|---|
| Initial Access | T1566.001 - Phishing: Spearphishing Attachment | Attackers may have sent targeted phishing emails containing malicious attachments to gain access. | Possible – Not confirmed, but phishing is a common entry method. | ||
| Initial Access | T1078.004 - Valid Accounts: Cloud Accounts | Use of stolen credentials to access internal systems. | Possible – Attackers infiltrated critical internal systems, possibly via compromised accounts. | ||
| Execution | T1204.002 - User Execution: Malicious File | Execution of a malicious file by a user. | Not Confirmed – No official statement on malware involvement. | ||
| Persistence | T1078 - Valid Accounts | Use of stolen credentials for long-term access. | Possible – The attack persisted undetected for an extended period. | ||
| Privilege Escalation | T1068 - Exploitation for Privilege Escalation | Exploiting system vulnerabilities to gain higher privileges. | Not Confirmed – No vulnerability exploitation reported. | ||
| Defense Evasion | T1562.001 - Disable or Modify Tools: Disable Security Tools | Attackers may have disabled security monitoring tools to evade detection. | Not Confirmed – Attack remained undetected until suspicious activity was flagged. | ||
| Credential Access | T1555.003 - Credential Dumping: Windows Credentials | Extracting credentials from memory or databases. | Possible – Access to multiple systems suggests credentials were compromised. | ||
| Discovery | T1018 - Remote System Discovery | Attackers explore internal network systems. | Likely – The attackers compromised at least two separate internal systems. | ||
| Lateral Movement | T1021.001 - Remote Services: Remote Desktop Protocol | Attackers spread through the network via RDP. | Possible – Attackers infiltrated multiple internal devices. | ||
| Collection | T1560 - Archive Collected Data | Attackers archive stolen data for exfiltration. | Possible – No direct evidence, but data leakage suggests collection. | ||
| Exfiltration | T1041 - Exfiltration Over C2 Channel | Data is exfiltrated via a Command & Control (C2) server. | Possible – Information leakage confirms data left the network. | ||
| Impact | T1485 - Data Destruction | Attackers delete logs or destroy data to erase evidence. | Possible – No confirmation from NTT Communications. | ||
Disclosure Timeline
| Date | Event | ||||
|---|---|---|---|---|---|
| February 5, 2025 | Suspicious activity detected in System A; initial mitigation actions taken. | ||||
| February 6, 2025 | Unauthorized access and potential data leakage confirmed. | ||||
| February 15, 2025 | System B identified as compromised; network isolation measures implemented. | ||||
| March 5, 2025 | NTT Communications publicly announces the breach. | ||||
| March 11, 2025 | Affected corporate clients are notified individually. | ||||
Analysis
This incident exposes the vulnerability of NTT Communications—a leading Japanese telecom giant—to cyberattacks. Despite being lauded for technological prowess, Japanese companies consistently underinvest in cybersecurity and lack a true sense of urgency.
Alarmingly, a firm of NTT Com’s stature leaked data from 17,000 corporate customers. As a pillar of Japan’s telecommunications infrastructure, NTT Group should be impenetrable. Yet, unauthorized access was permitted with shocking ease, revealing a catastrophic failure in internal security monitoring.
Compounding the issue is the entrenched culture of concealment. Japanese firms have a history of downplaying breaches by delaying disclosure and minimizing impact. NTT Com’s current “investigation” raises doubts that the actual leak might be far more extensive than reported.
Moreover, many Japanese companies mistake ransomware attacks for the sole threat, ignoring the insidious risk of silent data theft. By the time unauthorized access is detected, stolen data may already be traded on dark markets, imperiling entire supply chains and making traceability nearly impossible.
NTT Com’s failure is a harbinger. Many Japanese companies assume they are safe if not directly targeted, neglecting basic countermeasures. Consequently, the next victim is likely to be one of NTT Com’s partners—or any company dependent on Japan’s telecom infrastructure.
In summary, NTT Com’s delayed response and lax security are unacceptable. Unless Japanese enterprises confront this reality and radically improve their cybersecurity, they risk not only further data breaches but also a significant erosion of international credibility and competitive edge.
References
- NTT Communications Official Website: https://www.ntt.com/
- NTT Communications Press Release: "Regarding Unauthorized Access to NTT Communications," NTT Communications, March 5, 2025, https://www.ntt.com/about-us/press-releases/news/article/2025/0305_2.html
- https://attack.mitre.org/
-
🇯🇵🔓Japan Data Breach Cases 2025 | Major Data Leaks, Cyber Attacks, and Countermeasures
-
1Japan’s Innovation Agency Hacked – 7,600 Records Leaked – Maybe They Should Innovate a Firewall?
-
2Ransomware Knocks Out Japanese Clinic – 300,000 Patient Records Exposed
-
3Unauthorized Access to Hands Club App by Hands Co., Ltd.: Japan Data Breach Case 2025
-
4Kaikatsu Club Hacked: 7.29 Million Member Data Exposed
-
5ZACROS Ransomware Nightmare: 157K Personal Records Exposed in Major Data Breach
-
6ISEKI Hokkaido Ransomware Scare: 53.6K Personal Records at Risk in Cyber Attack
-
7Sankei Lingerie Data Breach: Up to 292K Records, Including 71K Credit Cards, Exposed in Major Mail-Order Hack
-
8NTT Communications Data Breach: Over 17,000 Corporate Clients Affected in Major Security Incident
- Services
-
1Phishing Site Takedown – Instant, Guaranteed Removal | Global 24/7
-
2Security focused Web Development Service
-
3Website Vulnerability Assessment
-
4Cloudflare Integration Support Service
-
5OSINT Research Service
-
6Phishing Site Takedown Guarantee Plan
-
7Good Faith Squatting Service
-
8デジタル脅威テイクダウン