Yesterday, we posted a massive info dump on Capcom’s plans for Resident Evil Village, the Ace Attorney franchise and more. This was from an earlier data breach at the company, and now Capcom has issued a formal statement about it.
First the good news: Capcom notes that there is no at-risk data pertaining to credit card info, online transactions and the like, so users should be safe and not worry about the breach, as that data is being handled by a third-party service provider. The bad news? There are customer names, emails which have been confirmed to be part of the data compromise.
As there is an ongoing investigation in place, it is possible that new facts may come to light going forward. Below is a general summary of what has been confirmed at this point in time (as of November 16, 2020).
1. Information verified to have been compromised
i. Personal information: 9 items
- Personal information of former employees: 5 items
(Name & signature: 2 items; name & address: 1 item; passport information: 2 items)
- Personal information of employees: 4 items
(Name and HR information: 3 items; name & signature: 1 item)
ii. Other information
- Sales reports
- Financial information
2. Potentially compromised data
i. Personal information (customers, business partners, etc.): maximum of approx. 350,000 items
- Japan: Customer service video game support help desk information (approx.134,000 items)
Names, addresses, phone numbers, email addresses
- North America: Capcom Store member information (approx. 14,000 items)
Names, birthdates, email addresses
- North America: Esports operations website members (approx. 4,000 items)
Names, email addresses, gender information
- List of shareholders (approx. 40,000 items)
Names, addresses, shareholder numbers, amount of shareholdings
- Former employees’ (including family) information (approx. 28,000 people);
applicants’ information (approx. 125,000 people)
Names, birthdates, addresses, phone numbers, email addresses, photos, etc.
ii. Personal information (employees and related parties)
- Human resources information (approx. 14,000 people)
iii. Confidential corporate information
- Sales data, business partner information, sales documents, development documents, etc.
None of the at-risk data contains credit card information. All online transactions etc. are handled by a third-party service provider, and as such Capcom does not maintain any such information internally.
Because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.
The company has oultined the detection and steps taken for this hack.
Detection and action taken
- In the early morning hours of November 2, 2020 after detecting connectivity issues with its internal network, Capcom shut down its systems and began investigating the situation.
- Capcom confirmed that this was a targeted attack against the company using ransomware, which destroyed and encrypted data on its servers.
- The company discovered a message from a criminal organization that calls itself Ragnar Locker, and after ascertaining that ransom money was being demanded, contacted the Osaka Prefectural Police.
- On November 4, 2020 the company issued the following press release: “Notice Regarding Network Issues due to Unauthorized Access.”
- On November 12, 2020, Capcom verified that nine items of personal information and some corporate information had been compromised.
- In addition to these confirmed nine items, the company continued its investigation into the scope of potentially compromised information, making a public disclosure of this on November 16, 2020 (this release).
Investigation and analysis, etc., of this incident took additional time due to issues such as the information saved on servers being encrypted and access logs being deleted in the attack.
ii. At this point, Capcom has reported the occurrence of network issues to the supervisory authority under GDPR (ICO in the United Kingdom), and the Personal Information Protection Commission (Japan).
iii. The company implemented protective software, shut down all suspicious transmissions, and carried out reconstruction of the servers. It is carrying out an ongoing investigation into the information that had been saved in each of its departments based on the servers it has recovered.
iv. The company has already commissioned a third-party security company to inspect system issues stemming from this incident. Capcom plans to announce the results of this inspection separately, when available.
v. Further, the company has arranged a structure of reporting and consultation with a major software company, a major security specialist vendor and law offices with extensive knowledge of system security.
Capcom is working with a major IT security specialist company to better get a grasp of the overall damage caused by the attacks, and to prevent it from happening again. The publisher also adds that it is safe for customers to connect online to play and access its websites.
Lastly, Capcom offers its deepest apologies for any issues or complications this has caused, and will ensure it will strengthen its management structure so it doesn’t happen again.
You can read the entire report here.