[Josys Original Survey] 96% of Nikkei 225 Companies Experienced Information Leaks in the Past 3 Years

Josys Co., Ltd. (Headquarters: Minato-ku, Tokyo; Representative Director and CEO: Yasuhiro Matsumoto; hereinafter 'Josys'), which provides an identity security platform, conducted an independent survey on cybersecurity targeting companies listed on the Nikkei 225. The results revealed that over 96% (217 companies) experienced information leaks, and 75% (168 companies) experienced serious information leaks including endpoint infections in the past three years. ■ Survey Summary 96.4% of companies experienced information leaks, with an employee leak rate of 2.9% Information leaks were confirmed at 217 out of 225 surveyed companies in the past three years. The total number of leaked records exceeded 270,000, resulting in a leak rate of 2.9% relative to the total number of employees. (*1) 74.6% of companies confirmed serious leaks Serious leaks involving authentication information for authentication infrastructure, security-related systems, and customer management applications occurred at 168 out of 225 surveyed companies. By industry, the pharmaceutical industry had the highest information leak rate, while banks had the lowest. The pharmaceutical industry had the highest information leak rate relative to employee count (11.6%). It was followed by the construction industry (7.0%) and the food industry (6.5%). On the other hand, the overall leak rate for banks was 0.7%, and for megabanks, it was as low as 0.5% on average, suggesting a high level of security measures. *1 For calculating the number of leaks, one company out of 225 was excluded from the aggregation due to anomaly detection. The target was 224 companies. ■ Key Findings 1. In the past 3 years, 96.4% of companies experienced information leaks, totaling over 270,000 cases This survey confirmed information leaks in the past three years at 217 out of 225 Nikkei 225 constituent companies (96.4%). The total number of leaked records reached 279,206 (*2), resulting in a leak rate of 2.9% relative to the total number of employees of the target companies (9,564,043). This means that for every 100 employees, authentication information for approximately 3 individuals was leaked. These results show that information leaks are not a problem limited to specific industries or company sizes, but a management challenge faced by almost all major Japanese companies. Furthermore, with a leak rate of 2.9%, cybersecurity incidents must be recognized not as exceptional events but as a constant risk in corporate activities. Companies are required to adopt measures assuming breaches and strengthen continuous monitoring systems. *2 The figures in this survey indicate 'the number of pieces of information circulating on the dark web, etc., as information of the relevant company,' which is a highly anonymous marketplace where leaked authentication information and personal information are traded. While we obtain information bought and sold as authentication information for specific companies, there is a possibility that it is not actually the information of that company or that it includes information that has already been invalidated. 2. Serious authentication leaks occurred at 74.6% of companies; authentication information of employees at 7 out of 10 companies leaked Authentication information leaks in highly important applications such as authentication infrastructure, security, and customer management were confirmed at 168 out of 225 surveyed companies (74.6%). In recent years, malware is increasingly aimed not only at destroying endpoints or stopping systems but also at stealing authentication information and session tokens. Attackers use stolen IDs and passwords to infiltrate cloud environments and steal information, making the expansion of damage after infection a serious risk. 3. Pharmaceutical industry had the highest information leak rate at 11.6% relative to employee count, while banks had the lowest at 0.7% Analysis of the information leak rate per employee by industry showed that the pharmaceutical industry was the highest at 11.6%. This was followed by the construction industry at 7.0% and the food industry at 6.5%, indicating a relatively higher leak risk in specific industries. On the other hand, the lowest was the banking industry at 0.7%. Among them, the average leak rate for megabanks was only 0.5%. Comparing the pharmaceutical industry and megabanks, the difference was more than 23 times, revealing significant disparities in cybersecurity risks and countermeasure levels across industries. The pharmaceutical industry is considered a likely target for cyberattacks because it holds highly valuable information for attackers, such as R&D data and intellectual property. The construction industry is also seen as a targeted sector, as it often handles data with geopolitical and economic value, such as information related to overseas infrastructure projects and plant construction. Regarding the food industry, it is possible that some companies have insufficient investment and system development in the cybersecurity domain compared to other industries, leading to higher leak rates. On the other hand, the financial industry has advanced multi-layered security measures, including compliance with strict regulations, strengthening network access control and authentication infrastructure, and building continuous monitoring systems. As a result, it achieved the lowest leak rate in this survey, indicating a high level of security maturity across the industry. Survey Name: Survey on Cybersecurity at Nikkei 225 Companies Target: 225 companies listed on the Nikkei Stock Average (Nikkei 225) and their group companies Number of Target Employees: 9,564,043 (one company was excluded from aggregation due to anomalous values) Period: March 1, 2023 - June 1, 2026 Method: Extraction survey using the company's data analysis tools (as of June 2026) Conducted by: Josys Co., Ltd. *Composition ratios and percentages are calculated by rounding off the second decimal place. ▪️ Conclusion What this survey showed is the fact that cybersecurity incidents are not 'a problem for some companies' but a structural challenge faced by the majority of Japan's leading large enterprises. A leak rate of 96.4% means that the leakage of authentication information has become commonplace across industries, regardless of the presence or absence of countermeasures. Furthermore, the time it takes for leaked authentication information to be exploited by attackers is shortening year by year, and the damage expands the longer detection is delayed. Establishing identity security that centrally visualizes, manages, and defends 'who has access to what and how' is no longer just an issue for some security personnel but a priority that management must address. ■ Background of the Survey In recent years, the methods of ransomware attacks have changed significantly. In addition to traditional attacks exploiting system vulnerabilities, attacks using legitimate IDs and passwords stolen by information-stealing malware called 'infostealers' for unauthorized login are increasing. In response to this situation, Josys conducted an independent survey targeting the Nikkei 225 constituent companies, a group representing Japanese corporations, to understand the actual state of authentication information leaks and malware infections. The survey results indicate that strengthening identity security is an urgent management issue not only for some companies but for all major Japanese companies. Furthermore, from today, Josys has started providing Japan's first three functions to strengthen ransomware attack countermeasures: 'Leaked Authentication Information Detection,' 'AI Agent Detection and Management,' and 'Automatic Policy Execution by AI.'