Capcom has officially closed the investigation into the ransomware attack against its servers from late last year, concluding that the ongoing covid-19 pandemic—what else—had a hand in the security breach.
Here’s Capcom’s explanation of the events that led to the hack:
According to the IT specialists, unauthorized access to the Company’s internal network was acquired in October 2020 through a cyberattack carried out on an older backup VPN (Virtual Private Network) device that had been maintained at its North American subsidiary (Capcom U.S.A., Inc.). At that time, the Capcom Group, including the North American subsidiary, had already introduced a different, new model of VPN devices; however, due to the growing burden on the Company’s network stemming from the spread of COVID-19 in the State of California, where this North American subsidiary is located, one of the aforementioned older VPN devices remained solely at this North American subsidiary as an emergency backup in case of communication issues, and it became the target of the attack. The device in question has already been removed from the network at this time.
Ragnar Locker, the hacking group responsible for the Capcom breach, made off with around 1 TB of data, potentially compromising the personal information of up to 390,000 employees, customers, and business partners. Capcom reiterated in today’s statement, however, that the hackers were unable to access credit card information.
Shortly after launching the attack, Ragnar Locker made bits and pieces of the stolen assets available online, including a handful of internal documents and the source code for 1999’s The Misadventures of Tron Bonne. The information was also said to have leaked several unannounced Capcom projects like Dragon’s Dogma 2, Street Fighter 6, and a Resident Evil 4 remake.
While the ransomware attack gave Capcom instructions on how to prevent the spread of the stolen data, today’s update also mentions that Ragnar Locker never provided the company with a ransom amount. That said, Capcom claims to have made no attempt to contact the group after consulting with law enforcement.
“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by the incident,” the statement adds. “As a company that handles digital content, it is treating this incident with the utmost seriousness and will take the appropriate action to address any requests or directions provided by law enforcement and other relevant authorities in each country. At the same time, Capcom will endeavor to further strengthen its management structure while coordinating with the relevant organizations to pursue its legal options regarding criminal acts.”