Capcom has confirmed that it’s been the victim of a ransomware attack, which has seen up to 350,000 items of personal data stolen from its servers, including the names and addresses of customers and former employees.
Confirming a report from last week, the Resident Evil publisher said that it had been targeted by the Ragnar Locker hacker group, which it said had sent it a message earlier this month demanding money in exchange for data stolen from its servers.
At the time, media reports claimed that over 1TB of data had been stolen during the hack and that the hacker group was demanding $11m in bitcoin for return of the files. If no deal was made, then the data would be published or sold, a report by Bleeping Computers claimed.
VGC has been able to verify that files from the leak are already being actively circulated online, including personal data.
Capcom said on Monday that it had reported the incident to the police, shut down and restructured its severs and called in a third-party security company to inspect them.
The Japanese firm said it has begun contacting individuals whose information it has verified to have been compromised to explain the background of the incident.
So far, Capcom has acknowledged nine items of personal information verified to have been stolen by the group, which is made up of data for former and current employees, including addresses and passports. In addition, some sales reports and financial information have been verified to have been stolen, it said.
However, the list of potentially compromised data is far larger. Capcom estimates that a maximum of 350,000 items of personal information could have been stolen in the hack.
That includes 134,000 items from Japan customer support, 14,000 items from the North American Capcom Store and 4,000 items from its Esports website. The information includes names and emails, and in the case of Japan addresses and phone numbers.
In addition, a maximum of 153,000 items could have been stolen related to former employees and their families, as well as job applicants. The data includes names, addresses, phone numbers and photographs.
Capcom said the potential data leak also includes 40,000 items containing the names, addresses and shareholdings info of its shareholders, as well as 14,000 HR items and confidential corporation information related to sales, business partners and development.
None of the at-risk data contains credit card information, Capcom said.
For individuals who wish to inquire about the personal information that has potentially been compromised, the company has set up a Japan-only phoneline. North American customers are advised to contact its customer support.
“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident,” it said in a statement.
“As a company that handles digital content, it is regarding this incident with the utmost seriousness. In order to prevent the reoccurrence of such an event, it will endeavor to further strengthen its management structure while pursuing legal options regarding criminal acts such as unauthorized access of its networks.”