Bandai Namco, the Japanese publisher behind the Ace Combat, Dragon Ball Z, and Dark Souls games, appears to be the latest major gaming company to suffer a major hack. The ransomware group BlackCat added the Elden Ring publisher to its list of victims earlier today, though it’s not yet clear the extent of the damage or how much money the group is demanding.
“ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco,” vx-underground, a group that monitors malware source code on the web, posted on Twitter Monday. Attached was a screenshot of the ALPHV ransomware blog where the group tracks its targets, with Bandai Namco listed under the threat of “data soon” as of July 11.
Bandai Namco did not immediately respond to a request for comment. Vx-underground has previously reported on other hacks, including the infamous Lapsu$ one, before the companies themselves have confirmed them. The ransomware watch group DarkFeed also shared a screenshot of BlackCat’s claimed hack earlier today. Vx-underground and DarkFeed didn’t immediately respond to a request for comment either.
Update: 9:20 a.m. ET, 7/13/22: Bandai Namco confirmed the hack and said it’s still investigating the cause and extent of the damage, including the possibility that customer info was leaked.
“On 3rd July, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan),” the publisher told Eurogamer in a statement. It continued:
After we confirmed the unauthorised access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause.
We will continue to investigate the cause of this incident and will disclose the investigation results as appropriate. We will also work with external organizations to strengthen security throughout the Group and take measures to prevent recurrence.
We offer our sincerest apologies to everyone involved for any complications or concerns caused by this incident.
BlackCat, members of which were believed to also be involved in the Colonial Pipeline hack last year, have been ramping up ransomware attacks, according to some computer security analysts as well as the FBI. Most recently, the hacks have resulted in BlackCat posting private employee data online if the victims refuse to pay up. In the past, the group has demanded millions, and targeted school districts and other public entities in addition to for-profit companies.
If legitimate, this would be just the latest in a long line of recent hacks at major gaming companies. Capcom was hit in late 2020, with several of its upcoming unannounced releases like Dragon’s Dogma 2 leaking at the time. A now famous hack of graphics chip manufacturer Nvidia ended up leaking tons of other big gaming projects like Kingdom Hearts 4. CD Projekt Red, the Polish studio behind The Witcher 3 and Cyberpunk 2077, had employee data and the source code for one of its games stolen in early 2021. Even FIFA publisher Electronic Arts was hit, with the alleged perpetrators trying to get media outlet Vice to blackmail the company on its behalf.
It’s unclear how much of the seeming uptick in security breaches is due to new techniques deployed by hackers vs. the greater challenges companies faced when moving to working from home during the global pandemic. Capcom blamed part of its vulnerability on remote work. At the same time, the blockchain network hosting crypto gaming juggernaut Axie Infinity suffered one of the most expensive hacks in history earlier this year, reportedly all because an employee fell for an elaborate phishing scheme.
Earlier this year, Bandai Namco took the servers for Dark Souls I, II, and III offline after a dangerous remote code execution (RCE) exploit was discovered.