In November, Japanese game developer Capcom admitted to have suffered a cyberattack that is impacting business operations.
The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Darkstalkers, Resident Evil, Devil May Cry, Onimusha, Dino Crisis, Dead Rising, Sengoku Basara, Ghosts ‘n Goblins, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties.
At the time, the Notice Regarding Network Issues published by the company revealed that on the morning of November 2nd, 2020 is suffered a cyberattack, In response to the incident the game developer shut down portions of their corporate network to prevent the malware from spreading.
The incident has not impacted connections for its players, the company initially declared that had not found any evidence that customer data was stolen.
In Mid-November, the company confirmed that the attackers accessed the personal information of its employees, along with financial and business information. The company believes that other information potentially accessed includes sales reports, financial information, game development documents, other information related to business partners.
No credit card information was compromised in the security breach.
After the attack, the Ragnar Locker ransomware operators claimed to have stolen over 1TB of data from the company.
In an update published by the Ragnar ransomware gang on it leak site the operators leaked a collection of archives as proof of the hack.
“Unfortunately even such worldwide leading company as CAPCOM doesn’t values much privacy and security. They was notified about vulnerability and data leak numerous time.” reads the post published by Ragnar gang on its leak site. They checked our page with proofs but even this didn’t help them to make a right decision and save data from leakage. Also we would help them to decrypt and also provide with recommendations on security measures improvement, to avoid such issues in future.” reads the post published by the ransomware on its leak site.
“We are sure that everyone should know about CAPCOM’s decision and careless attitude regarding data privacy. This might seems crazy in 21st century, all corporates should work harder on their security measures, especially IT and online based companies.”
This week, Capcom provided an update on its investigation, that revealed the incident was worse than initially thought because the number of impacted people is larger than initially believed.
Capcom revealed that the personal information of 16,415 people was stolen by the ransomware gang. Impacted people includes 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties. Only 9 people were impacted.
“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.” reads the update published by the company.
Cumulative maximum number of potentially impacted people is 390,000, an increase of approximately 40,000 people from the previous report.
1. Information verified to have been compromised (updated)
|i. Personal Information||16,406 people *cumulative total since investigation began: 16,415 peopleBusiness partners, etc.: 3,248 people|
At least one of the following: name, address, phone number, email address, etc.Former employees and related parties: 9,164 people
At least one of the following: name, email address, HR information, etc.Employees and related parties: 3,994 people
At least one of the following: name, email address, HR information, etc.
|ii. Other Information||Sales reports, financial information, game development documents, other information related to business partners|
2. Potentially compromised data (updated)
|i. Personal Information||Applicants: approx. 58,000 people|
At least one of the following: name, address, phone number, email address, etc.*Cumulative maximum number of potentially compromised data for customers,
business partners and other external parties: 390,000 people*Regarding the cumulative maximum number of potentially compromised data above: as part of its ongoing investigation, Capcom has determined that it currently does not see evidence for the possibility of data compromise for the approximate 18,000 items of personal information from North America (Capcom Store member information and esports operations website members) that the company included in its November 16, 2020 announcement. As such, these have been removed from this cumulative maximum number of potentially compromised data.
The company pointed out that the investigation is still ongoing and that new fact may come to light.
“At this point in time, Capcom’s internal systems have in large part recovered, and business operations have returned to normal.” concludes the update.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, CAPCOM)