Capcom has confirmed that a personal data breach it suffered late last year is worse than first thought, with the total number of potentially compromised people increased to 390,000 (up by 40,000).
The Resident Evil publisher first confirmed in November that it had been the victim of a ransomware attack, which saw hundreds of thousands of pieces of personal data stolen from its servers, including the names and addresses of customers and former employees.
On Tuesday, the company provided an update on its investigation into the breach. It confirmed that it’s now verified that the personal information of 16,406 people has definitely been stolen, up from nine in November.
That includes names, addresses, contact details and HR information for 3,248 business partners, 3,994 employees and 9,164 former employees.
Hackers also stole sales reports, financial information, game development documents and more, it said. Because a third-party provider handles online transactions, no credit card data was breached, it claimed.
VGC has been able to verify that files from the leak are being actively circulated online, including personal data and documents mentioning unannounced games and content.
In total, Capcom said it’s ascertained that the potential maximum number of customers, business partners and other external parties whose personal information may have been compromised in the attack is approximately 390,000 people – an increase of 40,000 from the previous report.
That includes at least 134,000 items from Japan customer support, 14,000 items from the North American Capcom Store and 4,000 items from its Esports website. The information includes names and emails, and in the case of Japan addresses and phone numbers.
“Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders,” it said on Tuesday.
As first reported by a media outlet in November, the Resident Evil publisher was targeted by the Ragnar Locker hacker group. Capcom said had sent it a message earlier the same month demanding money in exchange for data stolen from its servers.
At the time, media reports claimed that over 1TB of data had been stolen during the hack and that the hacker group was demanding $11m in bitcoin for return of the files. If no deal were made, then the data would be published or sold, a report by Bleeping Computers claimed.
The company has set up a Japan-only phoneline for individuals who wish to inquire about the personal information that has potentially been compromised (0120-400161). North American customers are advised to contact its customer support.