Canon publicly confirms August ransomware attack and data breach

Canon finally confirmed that it has suffered a ransomware attack in early August that resulted in the theft of data from its servers.

Canon has finally confirmed that it was the victim of a ransomware attack in early August and that the threat actors also stole data from its servers.

In August, BleepingComputer first revealed the ransomware attack after it has obtained an internal memo that confirmed the outage suffered by Canon a few days before was caused by a ransomware attack.

The memo also reveals that the company has hired an external security firm to investigate the incident.

The problem was first reported by Bleepingcomputer, which tracked a suspicious outage on Canon’s image.canon cloud photo and video storage service. According to the media outlet, the incident resulted in the loss of data for users of their free 10GB storage feature.

The image.canon site suffered an outage on July 30th, 2020, that lasted for six days, until August 4th.

At the time the company only confirmed an internal investigation on a problem related to “10GB of data storage.”

According to Canon, some of the photo and image files saved prior to June 16 were “lost,” but it pointed out that they were not exposed in a data leak.

In mid-August, the Maze ransomware gang took credit for the attack and published unencrypted files allegedly stolen the Canon during the ransomware attack.

BleepingComputer obtained from its source a portion of the ransom note and an internal notification that Canon sent to its employees.

Maze ransomware operators started publishing data stolen from the company on its data leak site. The gang has published a 2.2 GB archive called “STRATEGICPLANNINGpart62.zip” that attackers claim contain around 5% of the total amount of documents stolen during the attack,

The archive contains files related to Canon’s website and marketing materials, according to BleepingComputer’s source it does not appear to contain any financial information, employee information, or other sensitive data.

The investigation conducted by Canon found evidence of unauthorized accesses on its network between July 20 and August 6.

The hackers accessed company file servers that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents.

This week, Canon confirmed the ransomware attack and the data breach, according to a company’s statement stolen data included employees’ names, Social Security number, date of birth, the number for the driver’s license number or government-issued ID, the bank account number for direct deposits from Canon, and their electronic signature.

“We identified a security incident involving ransomware on August 4, 2020.” reads the statement. “We determined that there was unauthorized activity on our network between July 20, 2020 and August 6, 2020.  During that time, there was unauthorized access to files on our file servers. We completed a careful review of the file servers on November 2, 2020 and determined that there were files that contained information about current and former employees from 2005 to 2020 and their beneficiaries and dependents.”

On November 1, the Maze gang shut down its operations. The list of victims of the gang is long and includes the Steel sheet giant Hoa Sen Group, Southwire, LG Electronics, Xerox, and City of Pensacola. 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Canon)

[adrotate banner=”5″]

[adrotate banner=”13″]