What You Need to Know About the Capcom Breach
Video game developer Capcom fully disclosed a server breach that occurred on November 2. According to a press release, the Capcom breach resulted from customized ransomware; the attack followed a network compromise organized by the Ragnar Locker hacker group. Ragnar Locker specializes in data-stealing ransomware.
Both employee and customers’ personal information became exposed, although only nine former and current employees suffered in the attack. Meanwhile, 350,000 customers and business partners had their information stolen, including names, addresses, birthdates, phone numbers, email addresses, and photographs.
In the press release, Capcom stressed that customer financial information did not become compromised in the breach; affected current and former employees did have their financial information compromised. Log files were lost in the attack, making the full extent of the breach difficult to assess.
This press release comes days after Capcom initially denied any sort of breach in the wake of the initial cyber-attack. The developer apologized and announced plans to contact affected customers.
Laurence Pitt, Technical Security Lead at Juniper Networks, shared some thoughts on the Capcom Breach: “While it’s good that no payment information was taken in this breach, the amount of personal data stolen amounts to something worse. A stolen credit card can be stopped and payments refused, but we only get one identity – if the digital version is stolen in a breach, then that is much harder to replace. Capcom needs to contact affected members immediately and should be providing information on the steps they are taking to provide identity protection, as well as what members themselves can do to protect themselves.”
Other Experts on the Capcom Breach
Saryu Nayyar, CEO of Gurucul, shared her thoughts as well. “The recent Capcom breach is damaging for them on multiple levels. The loss of customer information, including more than enough data for attackers to craft targeted phishing and social engineering attacks, will both damage their reputation and subject them to data protection regulations. It’s good that no customer financial information appears to have been stolen. However, the loss of internal corporate and HR data may prove even more damaging than the loss of customer data. Worse, they do not appear to have a full accounting of what was taken due to the attackers destroying internal logs.
“This attack is another example of how sophisticated these attacks have become. The attackers exfiltrate data before encryption, which means that even if the victim is able to restore from backup, they may still be subject to extortion over the release of confidential information. The industry will keep improving our defenses, and legislatures will keep adding penalties for organizations that fail to follow best practices, but it will take the international Law Enforcement community cracking down on this type of crime to stem the tide.”
Learn more in our Endpoint Security Buyer’s Guide.