Here’s what we know.
Earlier this month, Japanese video game developer Capcom revealed that it had suffered a security breach which saw malicious hackers access its internal networks and cause “network issues”.
In a press release, the developer of such hit games as “Resident Evil” and “Street Fighter” attempted to reassure the public that “at present there is no indication that any customer information was breached.”
Well, plot twist. That’s no longer the case.
In a new press release, Capcom confirms that it not only fell victim to a ransomware attack but that the malicious hackers accessed sensitive personal data of up to 350,000 people.
According to the firm, it has verified that personal and corporate data accessed by the hackers includes:
- Details of former employees (name, signature, name and address, passport details)
- Details of current employees (name and HR information, signature)
- Sales reports
- Financial information
No credit card information, however, has been put at risk as Capcom uses a third-party service provider for all of its online transactions.
However, Capcom reports that the hackers may have also potentially compromised the following data related to customers and business partners:
- Japan: Customer service video game support help desk information (approximately 134,000 items) – Names, addresses, phone numbers, email addresses
- North America: Capcom Store member information (approximately 14,000 items) – Names, birthdates, email addresses
- North America: Esports operations website members (approximately 4,000 items) – Names, email addresses, gender information
- List of shareholders (approximately 40,000 items) – Names, addresses, shareholder numbers, amount of shareholdings
- Former employees’ (including family) information (approximately 28,000 people); Applicants’ information (approximately 125,000 people) – Names, birthdates, addresses, phone numbers, email addresses, photos, etc.
Furthermore, Capcom believes the hackers may have accessed further details of approximately 14,000 people (Human resources information), as well as sales data, business partner information, sales documents, development documents, and so forth.
According to Capcom, it received a blackmail message from the notorious Ragnar Locker team demanding that ransom payment be made for the safe return of the stolen data, and a decryption tool.
The company’s investigation into precisely how much data might have been exfiltrated from its network has been hampered by its servers being encrypted by the targeted ransomware attack, and access logs being deleted by the hackers.
However, Capcom is working with law enforcement agencies in Japan and the United States, and has engaged the services of external security experts in an attempt to prevent a reoccurrence of such an attck in future.
Wisely, the company asks individuals potentially affected by the security breach to be on their guard against suspicious emails that they might receive from criminals.
Capcom claims that “it is safe for Capcom customers or others to connect to play the company’s games online and access its websites.”
All of the above detail suggests that Capcom is not negotiating with its attackers, and has decided not to give in to Ragnar Locker’s ransom demands.
As Joe Tidy of BBC News reports, Capcom’s defiance has not gone down well with its attackers:
On Ragnor Locker’s dark-net webpage, the hackers didn’t just post Capcom’s data but also an ominous message.
In broken English they wrote the Japanese company didn’t “make a right decision and save data from leakage”.
This – and the fact Capcom is openly talking about the hack – suggests the company chose not to pay the cyber-criminals’ extortion demand.
No doubt the incident has affected the firm’s reputation and some sensitive data is already surfacing online.
But reading the disappointment in Ragnor Locker’s statement is refreshing and rare.
Not every company can withstand a targeted ransomware attack, let alone stand firm and refuse to pay a ransom when extortionists demand it. It’s impressive to see Capcom apparently refusing to cave in to the criminal demands, but one wonders how the company’s customers and partners feel about it…
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.