Capcom confirms Ragnar Locker ransomware attack, data exposure

Capcom has confirmed that a recent security incident was due to a Ragnar Locker ransomware infection, potentially leading to the exposure of customer records. 

This week, the Japanese gaming giant confirmed that the company had fallen prey to "customized ransomware" which gave attackers unauthorized access to its network -- as well as the data stored on Capcom Group systems. 

The firm says it has "verified that some personal information has been compromised," adding that the ransomware outbreak "destroyed and encrypted data on its servers."

See also: Capcom quietly discloses cyberattack impacting email, file servers

A ransom payment was demanded, but it does not appear that Capcom bowed to blackmail.

Capcom has provided an extensive list of confirmed and potentially compromised records. As of November 16, the firm has verified that the personal information of former employees -- including names, signatures, addresses, and passport information -- was exposed. These "five items" join "four items" relating to current employees and their names, as well as human resource records.

Capcom says that sales reports and financial information was also impacted, but has not gone into further detail. 

Together with the confirmed leaks of data, Capcom has also provided a list of potentially exposed records, choosing to list them as worst-case scenarios:

• The PII of customers, business partners, and more: 350,000 items
• Japan's customer service video game support, help desk: 134,000 items, including names, addresses, phone numbers, email addresses
• North America: Capcom Store member information: 14,000 items, including names, dates of birth, email addresses
• Esports operations website members: 4,000 items, including names, email addresses, gender
• Shareholder lists: 40,000 items, including names, addresses, shareholder numbers, amounts
• Former employees and family: 28,000 people, applicant data (125,000 people): names, dates of birth, addresses, phone numbers, and more
• Human resources data: 14,000 people
• Confidential corporate information: business partner records, sales documents, and more

Capcom is keen to emphasize that no credit card data has been included in the breach, as payments are managed by a third-party.

CNET: Trump fires top cybersecurity official for debunking election fraud claims

"Because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time," the firm says.

The security incident occurred on November 2. Email systems and a number of file servers were impacted and so the company temporarily cut some services to stop the attack -- and also warned investors that "inquiries and/or requests for documents" would not be answered. 

ZDNet learned at the time that Ragnar Locker ransomware may be to blame. In a ransomware note displaying the Capcom brand, the attackers behind the infection demanded that the company get in touch to negotiate a blackmail payment. 

TechRepublic: How to secure your Zoom account with two-factor authentication

The company is working with law enforcement in Japan and the US, as well as external security experts, as part of an investigation into the cyberattack. Capcom also says a new cybersecurity advisory board will be created "towards preventing any reoccurrence."

"Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders," the company says. "In order to prevent the reoccurrence of such an event, it will endeavor to further strengthen its management structure while pursuing legal options regarding criminal acts such as unauthorized access of its networks."

Previous and related coverage

• Today's 'mega' data breaches now cost companies $392 million to recover from
  
• 23,600 hacked databases have leaked from a defunct 'data breach index' site
  
• Barnes & Noble confirms cyberattack, ransomware group leaks allegedly stolen data
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0