What data has been stolen in Capcom ransomware hack? Is credit card information safe?

The Japanese video game developer Capcom has confirmed the company was the subject of a ransomware hack this month, which resulted in the theft of a large amount of personal information belonging to staff, former staff and customers.

The ransomware hack apparently took place on November 6th, with Capcom waiting until today (November 16th) to announce in a press release all the details of the attack. The company did, however, contact law enforcement in Japan and overseas immediately they discovered their data had been stolen.



Capcom says the hack was carried out by a known criminal organization that calls itself Ragnar Locker, with a message being received from the hackers soon after the hack occurred, and a large ransom amount then requested.

On November 11th, the Japan Times reported the hackers had released 67 gigabytes of data they say is some of the personal information stolen in the Capcom ransomware hack.

This was done after Capcom refused to pay the ransom or make payment by the hackers’ deadline.

 

Graphic by Bru-nO via Pixabay

What was stolen in the Capcom ransomware hack?

The worry of most Capcom customers, of course, is if customer credit card information is safe or was that also stolen in the hack?

According to the developer, none of the at-risk data includes customer credit card information. The reason they are sure this is the case they explained is because:

All online transactions etc. are handled by a third-party service provider, and as such Capcom does not maintain any such information internally.

What has been stolen in the hack, though, is a large amount of personal information of staff, former staff, people who applied for jobs at the company and, of course, customers.

Capcom says the following information has been verified to have been stolen:

i. Personal information: 9 items

  • Personal information of former employees: 5 items
    (Name & signature: 2 items; name & address: 1 item; passport information: 2 items)
  • Personal information of employees: 4 items
    (Name and HR information: 3 items; name & signature: 1 item)

ii. Other information

  • Company sales reports
  • Capcom financial information

Other information belonging to over 175,000 people may also have been compromised but, until Capcom has fully investigated the breach, they cannot be sure if that is the case.

This includes approximately 350,000 items. Everything from names, addresses, phone numbers and email addresses of customers that have used the Japanese help desk to names, birthdates and email addresses of anyone that has shopped through the North American Capcom store.

The stolen date could even potentially include their shareholders names, addresses and email addresses and the amount of shares they own, as well as the names, birthdates, addresses, phone numbers, email addresses and photos of employees, former employees and job applicants.

The latter groups alone include more than 153,000 people.

 

Graphic by Geralt via Pixabay

Capcom contacting those whose data has been stolen in the ransomware hack

If you are in any of the above groups, you can expect to be contacted by Capcom in the coming days or weeks with an explanation of what has been taken and what the current situation regarding it happens to be.

The video game developer also list contact information on their press release about the incident for anyone who believes their data may have been stolen, and who has questions or needs help.

What should you do if you believe your data may have been stolen in the Capcom ransomware hack?

There are several things you should do if there is even a slight possibility your data may have been stolen.

  1. Name and address information is readily available online with a 5-second search, so do not worry about that information having been stolen.
  2. Immediately change the password on your e-mail account/s. Make sure the password is a strong one and not one that could easily be connected to you. Do not use the same password on multiple accounts.
  3. Be sure to also change your passwords on any financial accounts as there is never a 100% guarantee that information has also not been stolen.
  4. If a hacker has your name and date of birth, there is much more they can do with it, including applying for a new credit card or using it to verify identity with other accounts you may have. That is why you should immediately contact all the major credit reporting agencies and ask them to put a fraud alert on your account.
  5. If you are very worried, you can also sign up with a credit or identity monitoring service.

For more information on how to protect yourself in the case of your data having been stolen in a company’s security breach, this step-by-step guide about what to do after a data breach at Tom’s Guide is excellent.

Meanwhile, read more about what Capcom is doing about their ransomware hack on the company’s press release.

For all intents and purposes, it does appear they are doing everything they can to protect their employees, customers and shareholders and are not trying to pretend what has happened is not worrisome.

That alone is a sign Capcom is taking this incident extremely seriously.

Michelle Topham