Capcom Verifies Compromised Data for Additional 16,406 People Following Unauthorized Network Attack
posted on by Alex Mateo
CAPCOM confirmed on Tuesday that personal information maintained by the CAPCOM Group has been compromised, following the customized ransomware attack caused by unauthorized access to its network on November 2. CAPCOM had announced on November 16 that personal information of nine people had been compromised, and the company verified with its latest investigation update that personal information of an additional 16,406 people has been compromised.
A total of 16,415 people have had their personal information — including name, address, phone number, email address, and HR information — compromised from the unauthorized network attack. Of those, 3,248 people are business partners, 9,164 are former employees and related parties, and 3,994 people are employees. CAPCOM determined that the maximum number of people that may have had personal information compromised is approximately 390,000.
CAPCOM's internal systems have mostly recovered, and its business operations have returned to normal. The company reported that there have been no changes to CAPCOM Group's consolidated business results for the fiscal year ending March 31.
CAPCOM had announced on November 4 that some of the company group's networks experienced issues due to unauthorized access from a third party that affected access to its systems, including email and file servers, starting on November 2 in the early morning. The company halted some internal network operations. CAPCOM verified that it discovered a message from a criminal organization "Ragnar Locker" and contacted the Osaka Prefectural Police after confirming that the group was demanding ransom money. The company discovered compromised items on November 12.
As of November 16, CAPCOM has reported network issues to the supervisory authority under General Data Protection Regulation (Information Commissioner's Office in the U.K.) and the Personal Information Protection Commission in Japan. The company has also implemented protective software, shut down suspicious transmissions, and carried out server reconstruction. CAPCOM hired a third-party security company, and it has arranged a reporting and consulting structure with a major software company, security specialist vendor, and law offices.
CAPCOM had previously stated that the attack may have compromised additional personal and corporate information. The potentially compromised personal data includes Japanese customer service video game support help desk information, North American CAPCOM Store and Esports operations website member information, a shareholder list, and personal information on former employees, their families, applicants, and human resources workers. Potentially compromised corporate data includes sales data, business partner information, sales documents, and development documents. CAPCOM verified that none of this data contains credit card information.
The company is contacting individuals whose information has been compromised in order to explain the incident. CAPCOM is carrying out an ongoing investigation to look into potentially compromised data.
CAPCOM will continue coordinating with law enforcement authorities in the U.S. and Japan, a major information technology security specialist company, and external security experts.
The incident has not affected CAPCOM's online game connections or website access. The company apologized for any concerns regarding this incident, and it stated that it believes any effect on CAPCOM Group's consolidated business results for this fiscal year will be negligible.