Hackers were able to gain access to Capcom's internal servers through an old VPN device, Capcom revealed in a new update posted on the publisher's official blog.
The subsequent attack allowed hackers to steal more than 1 TB of sensitive information, including source code, planned release schedules and other data. The attack also compromised the information of more than 15,000 people, although Capcom says that no credit card information was sent.
Capcom provided the useful diagram below to show how the attack was carried out:
Capcom partially blamed the COVID-19 pandemic for the conditions that led to the ransomware attack.
According to IT experts, unauthorized access to the Company's internal network was acquired in October 2020 through a cyber attack on an older backup VPN (Virtual Private Network) device maintained at its subsidiary American company (Capcom USA, Inc.). At that time, the Capcom Group, including the North American subsidiary, had already introduced a new, different model of VPN devices; however, due to the increasing load on the Company's network due to the spread of COVID-19 in the state of California, where this North American subsidiary is located, one of the oldest VPN devices mentioned remained exclusively in this North American subsidiary as an emergency backup in case of communication problems, and became the target of the attack. The device in question has already been removed from the network at this time.
The attack started on November 1, 2020 with Capcom publicly announcing the event just a few days later. Former Capcom employees described being frustrated by the company's lack of communication calling the information request a "one-way street".
[widget path=”global/article/imagegallery” parameters=”albumSlug=the-best-resident-evil-bosses&captions=true”]
Capcom says it has since taken steps to prevent further attacks, including rechecking the security of all VPN devices. The editor also contacted those with compromised information to discuss the incident in more detail.
"Capcom would like once again to reiterate its deepest apologies for any complications or concerns caused by the incident," wrote Capcom. "As a company that deals with digital content, it is taking this incident with the utmost seriousness and will take reasonable steps to respond to any requests or guidelines provided by law enforcement authorities and other relevant authorities in each country."
Kat Bailey is senior news editor at IGN.