Capcom Says Personal Data of Thousands More Stolen in Ransomware Attack

Video game giant Capcom this week revealed that thousands more people than initially believed had their personal information stolen in a ransomware attack in November 2020.

Known for video games such as Devil May Cry, Monster Hunter, Resident Evil, Street Fighter, Ace Attorney and Mega Man, the Japanese company has operations in Asia, Europe, and the United States.

On November 4, the game maker announced that it detected unauthorized access to its network, and two weeks later confirmed that the attackers accessed the personal information of employees, as well as financial information, sales reports, and other business data.

The operators of the Ragnar Locker ransomware, who claimed the attack, said in November they were able to download over 1TB of data from the company.

This week, Capcom announced that its investigation into the incident revealed that the number of people who had their personal information compromised in the ransomware attack is larger than initially believed.

Specifically, the company now says that a total of 16,415 people (including 3,248 business partners, 9,164 former employees and related parties, and 3,994 employees and related parties) had their personal information stolen. Initially, Capcom said only 9 people were impacted.

Affected information includes names, physical and email addresses, phone numbers, HR information, birthdates, passport information, and the like.

The “potential maximum number of customers, business partners and other external parties” that might have been affected by the incident is of approximately 390,000 people (up roughly 40,000 people from previous estimates), Capcom says.

The company removed approximately 18,000 items of personal information from the list, as it has no evidence that the data might have been affected.

Game development documents, sales reports, financial information, and other information related to business partners was also accessed during the ransomware attack. The company also expects for new details to emerge as the investigation progresses.

“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time,” the video game maker notes.

Just as before, the company underlined that no credit card information was compromised in the incident, as such information is not stored internally (online transactions are handled by a third-party service provider).

Capcom says that it was able to recover most of the affected internal systems and that business operations have returned to normal.

Related: Carnival Corp. Confirms Personal Information Compromised in Ransomware Incident

Related: Blackbaud Says Bank Account Data, SSNs Impacted in Ransomware Incident

Related: Capcom Confirms Hackers Stole Data in Recent Attack