Capcom has wrapped up its investigation of a major hack detected in November, which exposed not just personal information and business documents but the company's long-term plans, extending out to four years. The report concludes that the attack first began in October, not November, and can be traced back to hardware at the publisher's North American branch, Capcom USA. It has downscaled the number of people confirmed to be comprised by 766 to 15,649.
The company has issued multiple updates since the hack was first reported. Initially, it said only that an unknown party had breached its servers on November 2, forcing it to shut down access. It later emerged that the company was hit with ransomware and that large volumes of information had been stolen, including possible plot details for the upcoming Resident Evil Village.
According to Capcom, third-party firms helped trace the incident back to an older, backup VPN (Virtual Private Network) device in use at Capcom USA's California offices. This vector was used to gain access to other devices in both the U.S. and Japan, a process made easier by the fact that Capcom had yet to implement planned network security upgrades since it was devoting resources to improving remote work infrastructure during the COVID-19 pandemic. Ransomware began infecting some devices, and network issues crippled internal email and file servers. The company says there was never a specific ransom demand, and it never made any attempt to contact the responsible party, going on the advice of law enforcement officials.
In fact, Capcom says it has been "coordinating both domestically and overseas with law enforcement and related organizations," though it's unclear how well such efforts are going. In the meantime, it has tossed out the VPN backup, reverified security, scrubbed drives, and made improvements such as adding Security Operation Center service and better device management. An oversight committee established in January is working to keep security up to date.
The company has come under fire for forcing staff to work out of its Osaka offices in the attack's aftermath, despite the threat of COVID-19. It did require masks, social distancing, and temperature checks, and was not breaking any laws – but the policy differs from fellow Japanese publishers like Sony and Square Enix, both of which will be fully remote until the pandemic is under control. Last spring, Capcom dealt with at least one COVID infection, and the company is likely eager to avoid further negative publicity in the run-up to Resident Evil Village's May 7 launch.
Source: Capcom