Kyoto Institute of Technology Statement of Acknowledgment and Regret for Possible Unauthorized Personal Information Exposure

September 11, 2025
National University Corporation Kyoto Institute of Technology

��We regret to inform you that within the integrated academic management system administered by Kyoto Institute of Technology, certain files in the “Bulletin Board System” and “Email Distribution System” were unintentionally made externally accessible. We sincerely apologize for the concern and inconvenience caused to students, faculty, staff, and everyone involved.
��To prevent such incidents from occurring in the future, we are now further committed to strengthening our information security measures and enhancing internal checks.
��We also apologize for the delay in making this public. Confirming the facts took time due to the need for a thorough investigation to ensure accuracy and assess the full extent of the issue. We sincerely appreciate your understanding and again, offer our apologies for any inconvenience.

1.Specifics of the Possible Exposure
��1��Overview
��As mentioned above, we discovered that some files within the university’s overall academic management system had become externally accessible for viewing and downloading. Affected files included the ��notices�� section of the bulletin board system and ��attachments�� to email distributed to students through the system’s email delivery function. In all, approximately 10,000 files were checked. Among these, 544 files contained personal information such as names, student ID numbers, and contact details. This potentially affected 2,539 individuals.
��No unauthorized use has been confirmed to date. An internal team of experts is continuing to investigate the cause and to implement measures to prevent recurrence.

��2��Specific Involvement
��As mentioned above, an investigation revealed that within the comprehensive academic management system adopted by KIT in 2011, ��notices�� from the bulletin board system and ��attachments�� to email distributed to students had been stored in the same folder. This design made it possible for external parties to view and access these files.
��Files had accumulated in this folder over the years since its adoption ultimately resulting in a total of 10,000 such files. Of the 5,813 files posted in the ��notices�� section of the bulletin board system, 2,599 ��attachments�� to email distributed to students through the system’s email delivery function and 1,649 files stored in either system were designed to be saved in the same folder on the web server of the overall academic management system.
��Among these, 544 files contained personal information such as names, student ID numbers, and contact details. One of the 544 files contained information classified as sensitive personal information under the Personal Information Protection Act.
��As some files contain information for multiple individuals, we determined that the actual number of individuals whose personal information could have been accessed was 2,539.
��As mentioned above, this situation is believed to have persisted since 2011 when the system was initially introduced. Investigations are ongoing regarding the data for August 8, 2024 to August 7, 2025, the period for which logs show a record of access or activity. Presently, no evidence of unauthorized use has come to light.

2.Identification and Response
��On August 7, 2025, it came to our attention that a ��for KIT personnel only�� file had been available for external viewing. We immediately blocked external access to the site and deleted the file in question. Our investigation revealed that the file category had been mistakenly set to ��public access.��
��In the course of our assessment, we conducted an emergency inspection of other files related to the academic management system. This confirms that both our bulletin board system ��notice�� files and email ��attachments�� for student distribution were stored in the same folder, highlighting a folder-use design flaw. All these files have now been removed from the server and stored in a local environment, rendering them externally inaccessible.
��Currently, a KIT team of experts is working to identify the cause of this oversight, confirm the scope of impact, and develop measures to prevent recurrence.

3.Types of externally accessible and retrievable information, and number of affected individuals
��The numbers below correspond to individuals associated with each type of information. Since some individuals are linked to multiple categories, the total sum of these numbers may differ from the overall total mentioned above in “1. Specifics of the Possible Exposure.”

Student Information:

(1)Those related to sensitive personal information containing health check-up certificates from AY2016��1

(2)Those containing bank account information from AY2020, including copies of passbooks��2

(3)Those related to financial status, such as household finances, income, scholarship applications, and international student surveys for AY2018 to AY2023��26

(4)Those regarding tuition, scholarships, etc., containing names, phone numbers, guarantor names, and addresses from AY2019 onward��108

(5)Those related to academic performance and study progress, including student numbers, names, grades, objections, previous institutions, and credit recognition from AY2014 onward��137

(6)Those regarding academic status, including student numbers, names, departments, academic changes, guarantor information, and addresses from AY2014 to AY2024��21

(7)Those related to international student surveys from AY2018, including student numbers and names��3

(8)Those regarding student awards, including names and selection results from AY2015 and AY2016��8

(9)Those regarding teaching assistant positions, including student numbers, names, etc., from AY2013, 2020, and 2021��27

(10)Those related to course-related communications, including student numbers, names, addresses, and internship details from AY2014 to AY2024��1,002

(11)Those related to administrative communications, including student numbers, names, and roles in events from AY2018 and AY2023 onward��261

(12)Others of those containing names, etc., from AY2016 and AY2023-2024��3

Student-affiliated Persons�� Information:

(1)Those related to tuition, scholarships, etc., containing names of guarantors/family members from AY2025��10

(2)Those related to financial status, including names of guarantors/family members, income, etc., from AY2021-2022��8

(3)Those related to academic status, including names, addresses, and phone numbers of guarantors on academic transfer requests from AY2014��1

External Parties Information:

(1)Those related to tuition, scholarships, etc., containing the addresses, representative positions, and names of organizations from AY2019 and AY2021��2

(2)Those related to student awards, including names of awardees from AY2024��1

(3)Those related to course communications, including names, affiliations, roles, and project themes of receiving organizations in the Regional Revitalization Tech Program from AY2017, 2019, and 2023��29

(4)Those related to course communications, including names, email addresses, and internship details from AY2023-2024��16

(5)Those related to course communications, including names and email addresses of organizations involved in teaching practice from AY2023-2024��4

(6)Those related to course communications, including the positions and names of representatives at lecture-attending organizations from AY2023��1

(7)Those related to employment communication with external institutions, including workplace names, phone numbers, and email addresses from AY2017-2022��749

Part-Time Instructor Information:

(1)Those related to academic performance and study progress, including names of individuals responding to objections to grades from AY2018 onward��26

(2)Those related to course communications, including names of instructors from AY2021��1

Faculty and Staff Information:

(1)Those related to sensitive personal information, including names of individuals providing health check-up certificates from AY2016��1

(2)Those related to tuition, scholarships, etc., including names of individuals responsible for scholarship notification from AY2019-2021��4

(3)Those related to academic performance, including names of individuals responsible for issuing certificates or providing contact information from AY2019 onward��16

(4)Those related to academic status, including individuals responsible for academic transfer notifications from AY2014-2024��5

(5)Those related to teaching assistants, including names of instructors from AY2013, 2020, and 2021��5

(6)Those related to course communications, including names of instructors from AY2014-2024��94

(7)Those related to administrative communications, including senders, meeting participants, and roles in events from AY2018 and AY2023 onward��87

(8)Other documents containing names from AY2016��1

4.Response to Affected Individuals
��As of this writing, no improper use of the personal data in question has been confirmed. However, we are treating this incident with the utmost seriousness and are individually contacting persons who may be affected, to notify them accordingly.

5.Prevention of Recurrence
��We view this incident with the utmost seriousness and are implementing measures to prevent recurrence. The cause lies in system design deficiencies which allowed information that should have been restricted, to be viewed and accessed from outside. Going forward, we will inspect academic affairs and all other university-wide systems to confirm the absence of design flaws and will continue to implement necessary modifications. Furthermore, when developing or modifying new systems, we will thoroughly implement recurrence prevention measures to ensure similar incidents do not reoccur. This includes carefully checking designs in their initial stages and seeking cooperation from external specialized institutions as necessary.
��Additionally, we will further enhance awareness and thorough implementation of information security measures, including the handling of personal information, and sincerely commit to preventing recurrence of this type of incident.

A Message from the President:
��It has come to my attention that personal information within our system was externally accessible. We sincerely apologize for any distress this may have caused to affected individuals.
��Our internal team of experts is working diligently to determine the cause and fully assess the scope of the impact. In order to prevent such an incident from happening again, we are implementing comprehensive measures and are committed to addressing the situation with the highest level of integrity and transparency to alleviate any concerns.

President Masahiro Yoshimoto
National University Corporation Kyoto Institute of Technology

Contacts:
1.For Inquiries Regarding Personal Information Accessibility and External Exposure��
��Educational Coordination,
��Educational Affairs Office,
��Kyoto Institute of Technology
��Phone: 075-724-7026
��Inquiry form��
����/application/view/index.php?id=546155

2.For Inquiries from the Media and the General Public��
��General Affairs and Planning Office
��Kyoto Institute of Technology
��Phone: 075-724-7011
��E-mail��houki[at]jim.kit.ac.jp��Note: Replace [at] with @