Capcom has provided what will likely be the final update on the ransomware attack that the company suffered in November. It contains new information about what data was actually compromised, how it might have happened, and the measures the company is taking to prevent similar problems in the future.
The initial attack took place on Nov. 2 when an organization called Ragnar Locker managed to gain unauthorized access to Capcom’s internal network and proceeded to demand ransom money while leaking internal details such as upcoming game releases.
Since then, the Capcom Group has concluded its investigation into the incident and received external findings from all of its investigative partners.
“According to the IT specialists, unauthorized access to the Company’s internal network was acquired in October 2020 through a cyberattack carried out on an older backup VPN (Virtual Private Network) device that had been maintained at its North American subsidiary (Capcom USA, Inc.),” Capcom said. “The device in question has already been removed from the network at this time.”
Capcom said the unauthorized access allowed the attackers to access servers for the U.S. and Japan offices, where they were infected with ransomware on Nov. 1 and started experiencing issues the next day.
Following the attack, Capcom had all compromised devices wiped, reverified the safety of all VPN devices, introduced a Security Operation Center service, and much more. This also includes the Information Technology Security Oversight Committee, which is made up of two university professors who are cybersecurity experts, one lawyer who works in that field, and one certified public accountant who’s an IT system audit specialist.
Previously, Capcom said 16,415 people had their names, email addresses, phone numbers, and additional information compromised in the attack. Now, that total has decreased by 766 people, down to 15,649 people based on new information from the investigation.
But the company hasn’t changed its estimate of a max of 350,000 people potentially being impacted in some form during this incident.
“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by the incident,” Capcom said. “As a company that handles digital content, it is treating this incident with the utmost seriousness, and will take the appropriate action to address any requests or directions provided by law enforcement and other relevant authorities in each country.”
Capcom has once more clarified that none of the at-risk data contained credit card information because the company uses a third-party service to complete online transactions and doesn’t maintain any of that information internally.
You can read the full report on Capcom’s official website.