Japanese video game publisher Bandai Namco Holdings Inc. has been targeted in a cyberattack that may have resulted in data theft.
The company, which publishes games such as “Pac-Man,” “Dragon Ball” and “Elden Ring,” is officially describing the attack as unauthorized access by a third party to internal systems of group companies in Asian regions excluding Japan. The company said that it had blocked access to servers to “prevent damage from spreading,” giving a hint of what form of cyberattack took place.
Typical data theft doesn’t result in “damage,” making the obvious candidate ransomware, which is what it appears to be. Bleeping Computer reported Wednesday that the BlackCat ransomware gang, also known as AlphV, claimed responsibility for the attack and said that it had also stolen corporate data.
AlphV/BlackCat was in the news in January when it took responsibility for a ransomware attack on Italian luxury fashion brand Moncler SpA. The gang was also in the news earlier this week when it started to offer the ability to search stolen data in an effort to have victims pay ransom demands.
Bandai Namco said that data stolen in the attack may have included customer information related to the Toys and Hobby Business in Asian regions. The company did not specify the range of personally identifiable information that may have been accessed.
The theft of the data through group companies versus Bandai Namco directly was noted by security experts. Demi Ben-Ari, chief technology officer and head of security for security risk management provider Panorays Ltd., told SiliconANGLE that the fact that the company’s confirmation that systems were accessed through one of its third-party entities paints a clear example that there must be better management of these types of entities with regard to security.
“Just as if they were a ‘regular third party,’ these entities must be assessed with the same cyber risk framework as the parent organization,” Ben-Air explained. “Basic steps can be taken such as improving overall cyber hygiene across the organization, as well as continuous monitoring and engagement with these types of third parties.”
Lisa Plaggemeier, interim executive director of the National Cybersecurity Alliance, warned that if attackers were able to access any user data stored on Bandai Namco’s systems related to online multiplayer games it publishes, such as “Genshin Impact” and “Elden Ring,” that could create a whole new set of threats for gamers. “Any sensitive info gleaned can likely be further used for phishing and social engineering attacks against users in the guise of publisher or as online gaming service provider personnel,” she said.