Capcom employee info, game details exposed by severe ransomware attack

After revealing it was subject to a security breach at the beginning of November, Capcom has confirmed it’s been the victim of a ransomware attack – and a pretty major one at that. Corporate information about Capcom’s upcoming titles has already been leaked, but more worryingly, it seems a large amount of personal data has potentially been compromised.

In a press release earlier today, Capcom said it was the victim of a “customised ransomware attack” and confirmed that personal information had been compromised. So far the information verified to have been compromised included sales reports, financial information, and nine items of personal information from current and former employees. But Capcom is concerned that up to 350k items of personal information from customers, business partners, applicants and employees could also have been compromised: including names, addresses, phone numbers, birthdates, shareholder numbers and even employee photos.

Capcom can’t be sure about the exact amount of potentially compromised data as some logs were lost in the attack, but it is certain no credit card information has been leaked. That’s a sliver of good news, but plenty of customers and employees are now in the pretty terrifying position of wondering if their personal information has been made public – and Capcom has advised everyone potentially affected to “practice an abundance of caution, looking out for any suspicious packages received by mail or messages that could potentially be received”.

Aside from the personal information concerns, a significant amount of corporate information appears to have been leaked online. Screenshots show a new Ace Attorney collection for PlayStation 4 and Nintendo Switch, Resident Evil 4 for Oculus VR, and a PC release for Monster Hunter Rise and Monster Hunter Stories 2. Internal briefings show a planned release date for Resident Evil Village of late April in 2021, although it’s worth noting these plans may now be outdated. Screenshots also detail a new project called Shield – allegedly a multiplayer shooter – while another name that appears to be floating around includes a new Nintendo Switch IP named Guillotine, although details on this remain light.

Along with the project names and release dates, the leak includes internal briefings that detail Capcom’s business plans – including a real peek behind the curtain at how Capcom wants to get streamers on board for Shield. Another file shows the payment milestones for Resident Evil 7 and 8 (officially Village), which indicates Google has paid Capcom a large sum to port the titles to Stadia.

The leak has already been fairly disastrous for Capcom, but according to the ransom note that’s circulating online, it seems not all the data has yet been released by hacking group Ragnar Locker. As reported by BBC News, the group’s statement suggests Capcom has not paid the ransom for the data. We could see further leaks in the coming weeks – and unfortunately the possibility of personal details being included in those dumps.

Capcom has said its initial investigation of the attack “took additional time due to issues such as the information saved on servers being encrypted and access logs being deleted in the attack”. Since then it’s reported the leak to supervisory authorities such as GDPR and the Information Commissioner’s Office in the UK, and has launched an internal investigation into the incident. Third-party security and software specialists are also being brought in to inspect the company’s systems and offer advice.

“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident,” the statement said. “As a company that handles digital content, it is regarding this incident with the utmost seriousness. In order to prevent the reoccurrence of such an event, it will endeavour to further strengthen its management structure while pursuing legal options regarding criminal acts such as unauthorised access of its networks.”