A ransomware attack that hit online game developer Capcom on November 2 has revealed a data breach affecting roughly 350,000 individuals.
Although the preliminary report of the Ragnar Locker operation that crippled its email and file servers emphasized that customer information was not compromised, an incident update published yesterday reveals a more serious outcome.
The data breach notification released by the creator of Street Fighter, Resident Evil and Devil May Cry on November 16 confirms that personal information of customers and employees was indeed compromised in the attack.
The Ragnar Locker gang apparently managed to access a range of personal identifiable information of customers, including names, addresses, gender, phone numbers, email addresses, birth dates, investor names, amount of shareholdings and photos. The attackers were also able to view and exfiltrate data belonging to Capcom employees, including but not limited to full names, addresses, passport information, date of birth, signatures, phone numbers and email addresses.
Additional compromised data includes confidential corporate information, such as sales documents and business partner information. The full list can be seen below:
- Japan: Customer service video game support help desk information (approx. 134,000 items) – names, addresses, phone numbers, email addresses
- North America: Capcom Store member information (approx. 14,000 items) – names, birthdates, email addresses
- North America: Esports operations website members (approx. 4,000 items) – names, email addresses, gender information
- List of shareholders (approx. 40,000 items) – names, addresses, shareholder numbers, amount of shareholdings
- Former employees’ (including family) information (approx. 28,000 people) and applicants’ information (approx. 125,000 people) – names, birthdates, addresses, phone numbers, email addresses, photos, etc.
- Human resources information (approx. 14,000 people)
- Confidential corporate information – sales data, business partner information, sales documents, development documents, etc.
Slightly alleviating concerns of customers, Capcom points out key information that was not compromised in the attack:
“None of the at-risk data contains credit card information,” the company said. “All online transactions etc. are handled by a third-party service provider, and as such Capcom does not maintain any such information internally.”
Although it doesn’t seem that any login credentials were compromised during the attack, and the game developer confirms that “it is safe for Capcom customers or others to connect to play the company’s games online and access its websites,” users awareness and safe practices are advised.
As a precaution, online users should consider changing the password associated with their account and look out for any suspicious emails claiming to be from Capcom. Never provide personal and financial information to any individuals contacting you via any online method.