Video-game-maker Capcom has warned a ransomware attack might have compromised gamers’ personal information.
Up to 350,000 people could be affected, it said, and some of its own financial information had been stolen.
The Japanese developer is best known for franchises such as Resident Evil, Street Fighter, and Monster Hunter.
A week-and-a-half earlier, it had said there was no indication customer information had been accessed.
But in an update on Monday, Capcom confirmed its servers had been hit by an attack on 2 November.
Ransomware is malicious software that typically threatens to block a victim’s access to their own records unless a blackmail payment is made.
In this case, the attackers digitally scrambled some of the data on Capcom’s servers, making it impossible to view or amend, and destroyed some files outright.
The Ragnar Locker hacker group had then demanded to be paid to undo the encryption involved, Capcom said.
On Ragnor Locker’s dark-net webpage, the hackers didn’t just post Capcom’s data but also an ominous message.
In broken English they wrote the Japanese company didn’t “make a right decision and save data from leakage”.
This – and the fact Capcom is openly talking about the hack – suggests the company chose not to pay the cyber-criminals’ extortion demand.
Many, including law enforcement, would actually see this as absolutely the right decision.
For 18 months, police the world over have been desperately imploring ransomware victims not to pay hackers.
The groups have made millions from companies, which often feel they have no other option but to fork out.
But it seems Capcom has found a way through without yielding.
No doubt the incident has affected the firm’s reputation and some sensitive data is already surfacing online.
But reading the disappointment in Ragnor Locker’s statement is refreshing and rare.
Presentational grey line
So far, Capcom has confirmed only nine people’s personal information was definitely compromised, all current or former employees.
But up to 350,000 customers, business partners, and other employees might also be affected, it said.
Although, it could not be sure because its own logs had been “lost as a result of the attack”.
The information includes different combinations of names, addresses, birthdays, phone numbers and email addresses, depending on why the data was gathered.
For example, some was from Japanese customer support and some from the American Capcom store or e-sports operation.
“None of the at-risk data contains credit-card information,” Capcom’s statement said.
“All online transactions… are handled by a third-party service provider.
“And as such, Capcom does not maintain any such information internally.”
The company also said it was safe for gamers to continue to play its games online and to use its websites.
Police have been notified, as have the Japanese and UK data-protection watchdogs.
“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident,” it said.
“As a company that handles digital content, it is regarding this incident with the utmost seriousness.”