Earlier this month, Capcom revealed that there had been “unauthorized access carried out by a third party” on its internal computer systems, but the company added that “at present there is no indication that any customer information was breached.” This morning, though, Capcom revealed more details of the “customized ransomware attack” affecting its internal systems, potentially including the leak of personal information for up to 350,000 people.
After a two-week investigation, the Japanese company says it can only confirm that personal information was accessed for current and former employees. But the list of “potentially compromised” people is much larger, including callers to Capcom’s Japanese help desk, Capcom Store customers, members of Capcom’s North American esports teams, company shareholders, and former applicants for Capcom jobs.
The information revealed in the attack generally includes names, addresses, phone numbers, and email addresses. But current and former employees had their passport information and signature revealed, Capcom says, while job applicants may have had personal photos leaked.
Capcom notes that credit card information, which is “handled by a third-party service provider,” should be safe. Access to the company’s online games and websites should also be unaffected.
The attack also revealed some of Capcom’s internal business documents, including release and marketing plans and sales expectations for current and upcoming titles. Some of that information has already begun circulating on gaming forums and Twitter.
Pay up or pay the price
Capcom, which publishes major gaming franchises including Resident Evil, Monster Hunter, and Street Fighter, says it shut down its internal network on November 2. Shortly thereafter, the company determined it had been hit by “a targeted attack against the company using ransomware, which destroyed and encrypted data on its servers.”
The attack was reportedly organized by “a criminal organization that calls itself Ragnar Locker,” which demanded a ransom to unlock the data and prevent it from leaking. The BBC reports that Ragnar Locker posted a message on its dark-net webpage saying Capcom didn’t “make a right decision and save data from leakage,” suggesting the company decided not to pay the ransom demand. Ragnar Locker’s note also suggests it has more Capcom data that it has yet to release.
The investigation into the precise nature of the attack took so long in part because it was “carried out using what could be called tailor-made ransomware… aimed specifically at the company to maliciously encrypt the information saved on its servers and delete its access logs.”
Capcom says it is working with international law enforcement officials in the aftermath of the attacks and has commissioned third-party security companies to evaluate the attack and beef up internal information security.