Casio says a ransomware attack exposed information about employees, customers and business partners

Japanese electronics maker Casio confirmed Friday that a cyber incident reported earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates.

In an updated statement, the company said the Oct. 5 attack affected servers that had been “corrupted by a third-party ransomware attack.”

Multiple systems were rendered unusable by the ransomware attack and an investigation revealed that the hackers had gained access to data on the affected servers. The company shut down the servers and hired third-party security firms to assist in the response.

Casio set up a task force to work on restoring the affected internal systems, and the company notified police in Japan of the incident on October 6. On October 7, officials also contacted Japan’s Personal Data Protection Commission.

On Friday, Casio said it believed the personal data of temporary and contract employees had been leaked. The personal information of employees of affiliated companies was disclosed, as well as data of business partners, people who have interviewed for jobs with the company in the past, and some customers “who use services of the company and some affiliated companies.”

Casio did not explain what specific data was collected from each group, but said it did not include customers’ credit card information.

The statement adds that information regarding contracts, invoices and sales of current and former business partners and Casio subsidiaries were also leaked during the attack.

The hackers may have accessed internal legal documents and data related to workforce planning, audits, sales, technical information, and more.

“Please note that there is a possibility that your personal information may be misused to send you unsolicited emails such as phishing emails or spam emails. If you receive suspicious emails, please do not open them and delete them,” Casio said.

The company also requested that stolen information not be disseminated via social media as it could “increase the harm caused by sharing information about this case, violate the privacy of those affected, have a serious impact on their lives and businesses, and encourage crime.” “”

The attack was claimed on Thursday by ransomware gang “Underground.” The hackers said they stole 204.9GB of data from the company and provided samples of it to prove the company’s legitimacy.

Researchers said the group first emerged in July 2023, and several experts said it appeared to have ties to the Russia-based cybercrime group RomCom.

Fortinet noted that the group has listed 16 victims, most of whom are based in the United States and Europe. Microsoft released a report describing RomCom’s activities last year, saying it was “known to conduct opportunistic ransomware and extortion operations, as well as targeted credential collection campaigns that are likely to support intelligence operations.”

“[The group] operates, develops and distributes the RomCom backdoor. The actor is also deploying the Underground ransomware, which is closely related to the Industrial Spy ransomware that was first observed in the wild in May 2022,” the company said.

“Detected ransomware attacks have impacted the telecommunications and financial industries, among others.”

Microsoft added that they found “significant code overlap” with the Industrial Spy ransomware, which they believe means Underground is a rebranding of the same operation.

Learn more.