Casio says customers in 148 countries affected by breach

Thousands of customers of Japanese tech manufacturer Casio had their information leaked in a data breach that occurred in one of its software subsidiaries last week.

In a lengthy explainer this week, the company said hackers accessed the company’s education web application ClassPad.net, resulting in the leak of personal information from customers in 148 countries.

“On the evening of Wednesday, October 11, when the person in charge attempted to work in the development environment, it was discovered that a database failure had occurred, and the company assessed the situation,” the company explained.

“As the company continued to analyze the situation, it was additionally confirmed that, on the evening of Thursday, October 12, the personal information of some residents of countries other than Japan was accessed.”

The company did not say how many people were affected but explained that 1,108 educational institution customers and an undisclosed number of individuals had more than 120,000 pieces of information leaked.

The information leaked includes customer names, email addresses, country of residence, order details, service usage information and payment methods. Credit card information was not included in the breach.

Casio said 91,921 “items” belonging to customers in Japan were leaked, while 35,049 items belonging to customers from other countries were exposed. The company did not respond to requests for clarification about what it meant by “item.” The notice said Casio will update the figures if findings change in the future.

Casio reported more than $2 billion in earnings last year as one of the largest producers of calculators, cameras, musical instruments, watches and more. The company has a long track record in the industry and was one of the first producers of digital watches, but has seen a decline in sales over the last decade.

Several of the largest Japanese manufacturers have faced attack in 2023, with zipper giant YKK confirming a ransomware attack in June and the Yamaha Corporation announcing its own incident in July.

Ransomware gangs have also attacked watchmaker Seiko and pharmaceutical company Eisai. In January, millions of Japanese customers of two large insurance companies had their personal information leaked after a breach.

‘Operational error’

The notice did not say whether Casio has identified the hackers.

The situation was traced back to network security settings in the development environment that were disabled “due to an operational error of the system by the department in charge and insufficient operational management.”

“Currently, all databases in the development environment targeted by the attack are inaccessible to those outside the development environment. Casio reported the incident to Japan’s Personal Information Protection Commission and to JUAS (the ‘PrivacyMark’ certification organization) on Monday, October 16,” the company said.

“Casio will continue to consult with and engage an external security specialist organization to conduct further internal investigations, analyze the root causes, and devise appropriate countermeasures in response to this incident,” the company said. It also plans to “engage an external law firm” while cooperating with police in the investigation.

The company plans to contact all customers affected by the incident.