A ransomware attack launched against gaming company Capcom last November keeps getting worse. The company now says that the personal data of up to 400,000 of its customers was compromised in the attack — 40,000 more than the company originally thought.
Capcom is a Japan-based publisher of blockbuster games like Resident Evil, Street Fighter and Dark Stalkers. The breach was first detected on Nov. 2.. On Nov. 19, Capcom said its personal as well as corporate data was compromised. This is the third update from Capcom on the incident.
“As an update to its ongoing investigation, the company has verified that the personal information of an additional 16,406 people has been compromised, making the cumulative number since this investigation began 16,415 people, the latest update dated Jan. 12 said. “Further, the company has also ascertained that the potential maximum number of customers, business partners and other external parties etc., whose personal information may have been compromised in the attack is approximately 390,000 people (an increase of approximately 40,000 people from the previous report).”
The announcement added an investigation is ongoing and that new evidence of additional compromise could still come.
“Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders,” the statement said.
Ragnar Locker
The Ragnar Locker ransomware group is the most likely culprit. The ransom note, accessed by Bleeping Computer at the time the incident was first revealed, said the Ragnar Locker group claimed responsibility and said they had downloaded more than 1TB of corporate data, including banking details, contracts, proprietary data, emails and more.
Gaming is increasingly becoming a target for all types of cyberattacks. Over the past several months, along with Capcom, popular games like Among Us, Minecraft, Roblox and Animal Jam all reported breaches or hacks, while publishers like Ubisoft have also found themselves in the crosshairs. And in October, the REvil ransomware gang threatened a “big hit” on gaming.
Leading gaming companies are attractive to cybercriminals that aim to turn a profit by selling leaked insider-credentials. Recently, more than 500,000 stolen credentials tied to the top 25 gaming firms were found on caches of breached data online and up for sale at criminal marketplaces, according to researchers at Kela.
Boris Cipot, senior sales engineer with Synopsys, said that player accounts often link to payment details, making them attractive to criminals.
Gaming a Target
“The gaming industry is a common target for attacks, be it data theft or ransomware attacks,” Cipot said. “An interesting observation within the gaming industry is that player accounts are often high-value assets due to in-app purchases, or rewards from leveling up. In other words, gaming accounts are often seen as items for sale — at least accounts owned by adults spending money.”
The good news for Capcom customers is that the company doesn’t think any customer credit-card data was exfiltrated during the breach. The company goes onto reassure players it’s currently safe to play and purchase the company’s games online.
“None of the at-risk data contains credit card information,” the update said. “All online transactions etc. are handled by a third-party service provider, and as such Capcom does not maintain any such information internally,” Capcom advised. “Additionally, the areas that were impacted in this attack are unrelated to those systems used when connecting to the internet to play or purchase the company’s games online, which have continued to utilize either an external third-party server or an external server.”
For those Capcom customers who have been impacted, the company is reaching out to discuss next steps. The company said its continuing efforts to investigate the matter with law enforcement and IT security specialists, adding its systems have largely recovered and the company will provide any additional updates.
“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident,” the statement said. “As a company that handles digital content, it is regarding this incident with the utmost seriousness. In order to prevent the reoccurrence of such an event, it will endeavor to further strengthen its management structure while pursing legal options regarding criminal acts such as unauthorized access of its networks.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.