Fans of the Street Fighter video game series might know exactly how to block even the baddest moves from the likes of Akira and Chun-Li but they now face a much tougher battle after the publishing firm behind the franchise confirmed hackers have stolen customer data in a ransomware attack.
Capcom, the Japanese giant behind Street Fighter I to V, as well as Resident Evil 1 to 7, Mega Man, Devil May Cry and Monster Hunter, has changed its mind over the breach, having initially claimed it had no evidence that customer data had been accessed.
Now, in a new statement, the company has confessed data on as many as 350,000 customers may have been stolen, including names, addresses, phone numbers, and in some cases dates of birth.
Capcom said the hackers also stole its own internal financial data and HR files on current and former employees, which included names, addresses, dates of birth, and photos. The attackers also took “confidential corporate information,” the company said, including documents on business partners, sales, and development.
However, Capcom insists that no credit card information was taken, claiming that payments are handled by a third-party company. Even so, it warned that the total amount of data stolen “cannot specifically be ascertained” due to the fact that it lost its own internal logs in the cyberattack.
In a statement, it said: “Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders.”
The attack, carried out by “Ragnar Locker” ransomware gang, took place on November and reportedly affected 1 terabyte of data, forcing Capcom to shut down its entire network.
Ragnar Locker steels data from a victim before encrypting the company’s network, and then threatens to publish the stolen files unless a ransom is paid. This means cyber criminals can still demand a company pays the ransom even if the victim restores their files and systems from back-ups.
Ragnar Locker’s website now lists data allegedly stolen from Capcom, with a message implying that the company did not cough up.
Capcom said it had informed data protection regulators in Japan, as well as the UK Information Commissioner’s Office, as required under GDPR.
Founded in 1979, as the IRM Corporation, the business initially specialised in arcade games but branched out into personal video gaming when the first consoles, the Commodore 64 and IBM PC DOS, launched in the 1980s. In 2019, it had revenues of 12.6 billion yen (£91m).
Related stories
Blackbaud breach sparks legal threat to UK universities
National Trust among 125 hit by Blackbaud hack in UK
Crisis donors hit as fears grow over Blackbaud breach
Pitney Bowes hit as Maze ransomware strikes again
Ransomware car crash hits digital transformation giant
Half of UK firms would pay ransom to avoid GDPR fine
Over 40% of firms suffered cyber breach in past year
Firms warned over new wave of nefarious cyber attacks