Casio warns employees, customers about data leak from October ransomware attack

Thousands of employees, customers and business partners of Japanese electronics manufacturer Casio had data stolen during a ransomware attack in October. 

In a notice on Wednesday, Casio provided a post-mortem on the attack, explaining that 6,456 employees, 1,931 business partners and 91 customers were impacted by the ransomware incident last fall. 

An investigation conducted by an outside cybersecurity firm sourced the ransomware attack back to phishing emails that allowed the hackers into Casio’s servers on October 5. 

“As a result of the investigation, it was confirmed that some of the data stored for internal business use, such as internal documents, had been leaked, mainly from servers that had been attacked by ransomware,” the company said. 

For the nearly 6,500 employees impacted, basic information collected by human resources was accessed, including names, employee numbers, email addresses and departments. 

Some employees had other information like gender, date of birth and home address leaked while a small number of those affected had taxpayer ID numbers exposed. 

The business partners affected had basic company information stolen by the hackers that covered addresses, phone numbers and contact information for the company’s point person or representative. Two of the business partners had other biographical information leaked. 

Casio said the 91 customers included in the breach had delivery addresses, names, telephone numbers, dates of purchase, product names stolen by the hackers. The information came from a small number of customers who purchased products in Japan that needed delivery and installation.

The company plans to contact its business partners and customers individually as soon as each person has been identified. No credit card information was accessed by the hackers. 

In addition to the personal information exposed, the hackers gained access to Casio invoices, contracts, sales, meeting materials, internal reviews and more. 

In December, Casio sent a report about the breach to Japan’s Personal Information Protection Commission as well as several other data protection authorities abroad. 

The notice adds that the company consulted with law enforcement and “has not responded to any unreasonable demands from the ransomware group that carried out the unauthorized access.”

The attack was claimed by the Underground ransomware gang, which said it stole more than 200 GB of data. 

In addition to the data theft, Casio dealt with weeks of delivery delays as a result of the attack. While some minor services have not been restored, most have been resumed, according to Casio’s statement on Tuesday. 

Casio also warned that some of its employees have received spam emails that may be related to the ransomware attack. The company said it is working with the police to “take strict action in cases of any unsolicited email or related fake information being sent out.” 

Casio is the latest Japanese company to face a massive cyberattack in recent months, with several other large corporations dealing with similar incidents.

On Wednesday, the Japanese National Police Agency and the Cybersecurity Center of the Cabinet Office published a warning about a widespread cyberattack campaign against Japanese organizations, businesses and individuals dating back to 2019 that has been sourced back to a group called MirrorFace or Earth Kasha. 

Many cybersecurity companies typically use the “Earth” nomenclature to describe Chinese threat actors. 

Several investigations conducted by police departments in Tokyo and other Japanese municipalities said the campaign is “suspected to be linked to China, with the primary objective of stealing information related to Japan’s national security and advanced technology.”

“By publicizing the modus operandi of ‘MirrorFace’ cyberattacks, the purpose of this alert is to make targeted organizations, business operators and individuals aware of the threats they face in cyberspace and to encourage them to take appropriate security measures to prevent the damage caused by cyber-attacks from spreading and to prevent damage from occurring in the first place,” the agencies said. 

Japanese officials tied more than 200 cyberattacks to the campaign, many of which targeted ministries, the country’s space agency and dozens of individuals, companies and think tanks.