Japanese video game publisher Capcom suffered a cyberattack on 2 November, resulting in up to 350,000 pieces of personal information relating to customers, employees, and stakeholders being stolen by hackers.

Capcom, known for their Street Fighter and Resident Evil franchises, said that the stolen data includes names, addresses, phone numbers, and email addresses, but no credit or debit card details were compromised, as this information is securely held by an external organisation.

Capcom has reported the data breach to the UK’s Information Commissioner’s Office (ICO), as well as the Japanese data protection bodies, and said that ‘as a company that handles digital content, it is regarding this incident with the utmost seriousness’.

What type of data was stolen from Capcom?

Capcom has confirmed that nine employees’ personal data, described as ‘HR information’ and passports, had been stolen.

A further 350,000 pieces of information relating to employees and their family, service users, and shareholders are also believed to have been compromised, and the extent of the data breach is still under investigation.

In addition to the individuals’ personal information, Capcom’s classified corporate records had also been stolen, with secrets relating to several of their projects being leaked too.

The leaks include the release date for upcoming Resident Evil: Village, details about the next instalment of Phoenix Wright: Ace Attorney, and evidence suggesting a release of Resident Evil 4 on virtual reality.

The hacking group responsible – Ragnar Locker – claims to have stolen 1 TB of data from Capcom.

What will the hack cost Capcom?

The cost of the attack will be difficult to measure exactly, especially as Capcom refused to pay the hackers’ ransom. The demand was set at $11 million in Bitcoin.

The attack has damaged Capcom’s reputation as a secure digital service provider (despite Capcom claiming that their online platforms are currently safe) and their business plans for the coming quarters will almost certainly be forced to change. Data leaks in the gaming industry often precede changes to scheduled releases, as seen recently with Naughty Dog, who were forced to bring forward the release of The Last of Us: Part II after hackers posted huge swathes of the game online.

Direct damage has also been caused to Capcom’s business productivity, due to the destruction of data and disruption to normal business operations.

Cybersecurity company Datto estimates that the cost of ransomware on businesses, specifically due to the loss of productivity, is rising 200% each year.

Aside from on the corporation itself, the most significant damage caused by the hack would be on any affected individuals, who have had their personal data stolen, increasing their likelihood of falling victim to financial crime such as fraud. While the affected individuals are believed to be limited to North America and Japan, it’s always worth understanding how data breaches can affect you and what you can do to protect yourself.

We’ve already covered some of the best ways to protect your identity and finances in this article.

There’s no such thing as being too safe, especially when it comes to cybercrime that can directly impact you at any time.

One of the best ways to protect your identity is to monitor your credit accounts and application activity, all of which is recorded on your Credit Report. You can find your Credit Report easily online, usually instantly, and you can use it to see all recent credit applications in your details. If you spot anything suspicious, you’ll be ready to contact the relevant lender to request they shut down any fraudulent accounts and report the activity to Action Fraud.

How did the hackers steal the information?

Capcom described the hack as ‘a targeted attack against the company using ransomware, which destroyed and encrypted data on its servers’ – the criminals demanded ransom money to lift the ransomware, but Capcom refused to pay.

Capcom’s decision to reject the ransom was in line with law enforcement and expert advice, which is to ignore ransom requests from cybercriminals and instead report attacks to the relevant authorities.

Ransomware usually takes the form of a virus that zombifies computer systems and shuts them down until a ransom is paid to the hackers. Some attacks result in data breaches, as is the case with Capcom, that lead to thousands of people’s information being potentially stolen and sold on illegal markets.

Ransomware has been deployed by cybercriminal groups around the world to extort money from individuals, and large and small organisations alike. Most notably was the worldwide WannaCry ransomware attack in 2017, which in the UK brought NHS computer systems to a halt. The US, UK, and Australia declared that North Korean hackers were responsible, with the goal of extorting Bitcoin ransoms around the world. It is estimated that losses related to the 2017 attack reached up to $4 billion.

Ransomware is a rapidly growing cybercrime, with 20% of ransomware victims being small or medium sized businesses, according to Datto. Both individuals and large organisations (like Capcom and the National Health Service) are similarly vulnerable, so robust data protection measures are required by all to combat these types of attacks.

Cybersecurity Ventures estimates that a ransomware attack takes place every 14 seconds, so while you’ve been reading this article, you can expect a handful of attempts to have been made against individuals and businesses alike.

Credited as the creator of the survival horror genre with its zombie mega-franchise Resident Evil, Capcom has benefited from virus narratives for over twenty years, but this time the virus will be having steep and very real costs for the company.