[BreachExchange] ‘Resident Evil’ game maker Capcom confirms data breach after ransomware attack

Mon Nov 16 10:57:47 EST 2020

https://techcrunch.com/2020/11/16/capcom-resident-evil-game-maker-breach-ransomware/

Capcom,  the Japanese game maker behind the Resident Evil and Street
Fighter franchises, has confirmed that hackers stole customer data and
files from its internal network following a ransomware attack earlier
in the month.

That’s an about-turn from the days immediately following the
cyberattack, in which Capcom said it had no evidence that customer
data had been accessed.

In a statement, the company said data on as many as 350,000 customers
may have been stolen, including names, addresses, phone numbers, and
in some cases dates of birth. Capcom said the hackers also stole its
own internal financial data and human resources files on current and
former employees, which included names, addresses, dates of birth, and
photos. The attackers also took “confidential corporate information,”
the company said, including documents on business partners, sales, and
development.

Capcom said that no credit card information was taken, as payments are
handled by a third-party company.

But the company warned that the overall amount of data stolen “cannot
specifically be ascertained” due to losing its own internal logs in
the cyberattack.

Capcom apologized for the breach. “Capcom offers its sincerest
apologies for any complications and concerns that this may bring to
its potentially impacted customers as well as to its many
stakeholders,” the statement read.

The video games maker was hit by the Ragnar Locker ransomware on
November 2, prompting the company to shut down its network. Ragnar
Locker is a data-stealing ransomware, which exfiltrates data from a
victim before encrypting its network, and then threatens to publish
the stolen files unless a ransom is paid. In doing so, ransomware
groups can still demand a company pays the ransom even if the victim
restores their files and systems from backups.

Ragnar Locker’s website now lists data allegedly stolen from Capcom,
with a message implying that the company did not pay the ransom.

Capcom said it had informed data protection regulators in Japan and
the United Kingdom, as required under European GDPR data breach
notification rules. Companies can be fined up to 4% of their annual
revenue for falling foul of GDPR rules.