Learning Crisis Management and the Role of Lawyers from Capcom's Information Leak
The information leak at Capcom in November 2020 (Heisei 32) was caused by a custom-made ransomware, potentially resulting in the exposure of up to 390,000 personal data records.
Of course, it is better to prevent incidents from occurring in the first place, and it is crucial to establish a system that prevents them. However, no matter what kind of system is in place, it is impossible to completely eliminate the probability of occurrence.
In the unlikely event that such an incident does occur, what measures and investigations should be taken immediately afterwards, and when and how should the incident be announced?
In this article, we will explain the Capcom information leak incident in chronological order, from the perspective of crisis management for incidents involving personal information leaks caused by malware, in order to learn about the appropriate crisis management system from the company’s response.
※Lawyers have a high level of confidentiality obligation under the Japanese Attorney Act for cases they are actually involved in as lawyers. This article expresses the views of a lawyer based on publicly available information about past incidents that our firm was not involved in.
Incident Discovery and Initial Response
The incident was confirmed on November 2, 2020 (Reiwa 2).
At this point, a connection failure to the internal system was confirmed, and steps were taken to isolate the system and assess the damage.
On the same day, it was determined that the cause of the failure was file encryption on network devices due to a ransomware attack.
A threatening message from a group calling themselves “Ragnar Locker” was discovered on the affected terminals.
At this point, Capcom reported the incident to the Osaka Prefectural Police and requested recovery support from external companies.
When an incident occurs, it is naturally necessary for the continuity of the company’s operations to urgently restore the system. However, if a ransomware attack is confirmed, it is highly likely to be an illegal access, which is prohibited by the “Japanese Unauthorized Computer Access Prohibition Law”.
Before the leakage of confidential information, including personal information, is confirmed, and before the intrusion route is identified, it is important to promptly report to the police.
Crisis Management Public Relations Prior to the Discovery of Information Leakage
On November 4th, the day after the incident, Capcom issued its first press release titled, “Notice Regarding System Failure Due to Unauthorized Access”.
We have confirmed that this failure was due to unauthorized access from a third party, and we have partially suspended the operation of our internal network from the same day. We deeply apologize for the great inconvenience this may cause to all concerned. At this point, we have not confirmed any leakage of customer information, etc.
Notice Regarding System Failure Due to Unauthorized Access[ja]
At this point, it was merely a “system failure” due to “unauthorized access”, and the information leakage had not yet been discovered.
Press Release Following the Discovery of Information Leakage
Number of Personal Information Potentially Leaked, etc.
The information leakage was discovered on November 12th.
It was confirmed that personal information from 9 cases and some corporate information had been leaked.
The next day, Capcom approached a major security firm to investigate the cause, and on November 16th, they released a press release confirming the leakage of information.
At this point, they distinguished between:
- Information confirmed to have been leaked
- Information that could potentially have been leaked
And for each, they distinguished between:
- Personal information (customers, business partners, etc.)
- Personal information (employees and related parties)
- Corporate information (sales information, client information, business materials, development materials, etc.)
They posted the approximate number of cases for each category.
At this point, it was announced that “there is a possibility of leakage for up to about 350,000 cases of customer personal information”.
Presence or Absence of Credit Card Information Leakage and Corresponding Measures
At the same time, they stated:
“We outsource all payments for online sales, etc., so we do not hold credit card information, and there has been no leakage of credit card information.”
Notice and Apology Regarding Information Leakage Due to Unauthorized Access[ja]
They also mentioned the presence or absence of credit card information leakage, and further,
- Response to those whose personal information was confirmed to have been leaked and those who may have been affected
- History of discovery and response
- Future measures
They released such information.
Guidance and Advice from External Lawyers, etc.
In the press release, they also stated:
“We have reported the situation to a major software company, a major security specialist vendor, and an external lawyer with deep knowledge of cybersecurity, and have received guidance and advice. We have started contacting those who have been confirmed to have their information leaked and related parties, and will continue to investigate information that may have been stolen.”
Notice and Apology Regarding Information Leakage Due to Unauthorized Access[ja]
They also declared such.
Furthermore, “Contact for Personal Information” and “Capcom Information Leakage Dedicated Inquiry Window” were prepared as “Game User Inquiry Window” and “General Inquiry Window”, both with toll-free numbers.
And it took 4 days from the time at least some of the information leakage was discovered to the time the press release was released.
This is considered to be a necessary period to verify somewhat detailed information as mentioned above and to make decisions about future measures, etc.
Personal Information Leaks and Crisis Management
Unlike the initial report on a “system failure,” the second report stating that “up to 350,000 customer personal information may have been leaked” will be covered by multiple media outlets.
Capcom has suffered a custom-made ransomware attack from a third party, resulting in the leakage of personal information held by the company group. As of November 16, the information that may have been leaked, including customers and business partners, is said to be up to about 350,000 cases. Business materials and development materials may also have been leaked.
Capcom, up to 350,000 personal information leaks due to unauthorized access “No problem with gameplay” – BCN+R[ja]
However, at the time of the press release, information such as “the course of discovery and response” and “future responses” were also disclosed. Therefore, the above article concludes with a statement like, “In the future, we will work in cooperation with the police authorities, establish a new advisory organization for system security by external experts, and strive to prevent recurrence. It is stated that there will be no further damage to users or outside parties due to internet connections for playing the company’s games or access to the company’s homepage. Furthermore, for users who may have had their personal information leaked, they are calling for caution as there is a possibility of receiving unexpected mail or suspicious contacts.”
In a press release after the discovery of a personal information leak, it is important to disclose somewhat comprehensive information, including “the course of discovery and response” and “future responses,” as mentioned above.
And, at the point when a personal information leak is discovered,
- Major software companies
- Major security specialist vendors
- External lawyers with deep knowledge of cybersecurity
It is important to form a team of external experts like the above, and proceed with contacting customers who have been confirmed to have information leaked, crisis management PR, etc., in parallel with purely IT-based measures such as cause investigation.
Also, in the case of listed companies, it is necessary to explain to shareholders as part of this crisis management PR.
Potential Leakage of Job Applicant Information
Furthermore, in the publicly released press release, “Information that may have been leaked” and “Personal information (customers, business partners, etc.) up to about 350,000 cases”, there was an item called “Job applicant information (about 125,000 cases)”. In relation to this, Capcom had stated on their own recruitment site that they would dispose of it, and questions were raised on SNS and other platforms.
Regarding applicant information, Capcom had stated on their own recruitment site, “After the selection process, we will responsibly dispose of application documents and other materials from those who were not hired or declined the offer.” There are voices on Twitter questioning the company’s response to the fact that personal information that should have been disposed of was not. Capcom apologized, explaining, “We digitized resumes and other applicant information and kept it for a certain period of time. The lack of mention about digitization and insufficient expression caused misunderstanding. We apologize.” Regarding the reason for storage, they explained, “There are some applicants who apply multiple times. It was to smoothly check the past application history.” As for whether all applicant data was uniformly stored, they stated, “It is unclear at this point.”
Capcom, did not dispose of application documents of unsuccessful applicants. Although it was stated on the recruitment page that “we will dispose of it responsibly”, there is a possibility of information leakage due to cyber attack – ITmedia NEWS[ja]
It is unclear whether Capcom had anticipated these questions, but if information that should not exist (and it is somewhat inevitable to think so) exists within the company and there is a possibility that it has been leaked, it would be better to issue a press release after considering this issue in advance.
Launch of the Security Supervisory Committee, Including Lawyers
Publication of the Third Press Release
Furthermore, Capcom held a preparatory meeting on December 21st for the establishment of a “Security Supervisory Committee” as an advisory organization on system security by external experts.
On January 12th, 2021, they published their third press release titled “Notice and Apology Regarding Information Leakage Due to Unauthorized Access [Third Report]”,
It was confirmed that an additional 16,406 people’s information had been leaked, bringing the total number of people affected by this incident to 16,415. It was also revealed that the maximum number of external individuals, such as customers and business partners, whose personal information may have been leaked, is approximately 390,000 (an increase of about 40,000 from the previous report).
The press release also updated information as the investigation progressed. In addition, it was confirmed that no credit card information had been leaked, and
The system used for internet connection and purchases for playing our games was not the one attacked this time, but rather an external contractor or separate external server was used, and this is still the case. Therefore, there is no connection between the cyber attack on our system this time and the internet connection and purchases for playing our games, and there will be no damage to our customers.
Notice and Apology Regarding Information Leakage Due to Unauthorized Access [Third Report] | Capcom Co., Ltd.[ja]
was also stated.
About the Possibility of Personal Information Leakage of Job Applicants
Also, at this time, the possibility of leakage of personal information of “about 58,000 job applicants”, specifically “one or more of name, address, telephone number, email address, etc.” was announced as “information that has newly been confirmed to possibly have been leaked”.
Regarding this point,
It was revealed in November that the company had kept the information after the selection process without discarding it in relation to the cyber attack on the company. Initially, the company’s recruitment site stated, “We will responsibly discard the information after the selection process.” However, in December 2020, the company added the phrase, “Due to the acceptance of reapplications, we may keep the digitized paper media data for a certain period of time for the purpose of smoothly confirming previous applications.” According to the company, “The personal information of applicants is still stored in our internal system, and the operation is almost unchanged from before the unauthorized access.”
Capcom confirms personal information leakage of 16,000 people, also reveals possibility of leakage of 58,000 people’s information due to cyber attack in November 2020 – ITmedia NEWS[ja]
was reported.
Crisis Management Public Relations Based on Investigation Results
Publication of the Fourth Press Release
Subsequently, Capcom held the first Security Oversight Committee meeting on January 18, the second on February 25, and the third on March 26, maintaining a monthly pace. On March 31, they received an investigation report from a major security company and a report from a major software company.
In response to these, on April 13, they released the fourth press release titled “Report on the Investigation Results of Unauthorized Access [4th Report]”.
In this release, they provided a detailed technical explanation based on the above reports, covering the “course of response”, “cause and scope of damage”, and “security enhancement measures to prevent recurrence”. They also mentioned organizational measures such as the establishment of a Security Oversight Committee, which includes a lawyer who is an expert in cybersecurity and Japanese Personal Information Protection Law.
Reports and Responses Regarding Ransom
Meanwhile, on March 1, it was reported that the cybercrime group “Ragnar Locker” demanded a ransom of approximately 1.15 billion yen from Capcom.
The cybercrime group “Ragnar Locker” published files claiming to be data stolen from companies on their website and demanded 11 million dollars (approximately 1.15 billion yen) in Bitcoin as a ransom. However, Capcom has refused to pay at this point.
Capcom refuses to pay 1.15 billion yen! Reasons why ransom should not be paid even in ransomware damage | Security measures in the telework era | Diamond Online[ja]
In response to this, in the fourth press release, they also made a statement about the ransom.
About the recognition of the ransom amount
Report on the Investigation Results of Unauthorized Access [4th Report] | Capcom Co., Ltd.[ja]
There was a message file from the attacker left on the infected device, and it is true that we were asked to contact for negotiation with the attacker, but there was no mention of the ransom amount in the file. As previously reported, we decided not to negotiate with the attacker after consulting with the police, and in fact, we have not made any contact (refer to the press release announced on November 16, 2020), so we do not know the amount.
This seems to be a response to the fact that a specific amount of “1.15 billion yen” was mentioned in the above reports and others.
Release on Related Sites, etc.
Furthermore, on the same day, Capcom also published pages on sites other than their corporate site, such as “CAPCOM: Shadaloo Fighter Research Institute” (Street Fighter 5 related site) and “CAPCOM ONLINE GAMES”.
[Follow-up] Notice about the failure of the group system
Thank you very much for using “Capcom Online Games (COG)”. We have released the latest information about the system failure due to unauthorized access to our group system from the early morning of November 2, 2020. Please check here for details. Notice Details | Capcom Online Games[ja]
As it was revealed at an early stage that this information leakage was due to “outsourcing or separate use of external servers”, and that “there is no connection between the cyber attack on our system this time and the internet connection or download for playing games, and there is no damage to customers”,
It is believed that they published releases on each site again at the timing of reporting the investigation results in order not to cause anxiety to users.
Summary
In cases where a large-scale personal information leak has occurred, it is important to:
- Quickly report the incident to the police
- Establish a system to report the situation to external lawyers with deep knowledge of cybersecurity and receive guidance and advice
- Manage crisis communication by the above team
And, once a certain amount of information has been gathered, it is important to:
- Form a security oversight committee including lawyers
It can be said that it is crucial to manage these crises promptly and systematically.