Casio says ransomware attack exposed info of employees, customers and business partners

Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates.

In an updated statement, the company said the October 5 attack involved servers that “had been damaged by a third-party ransomware attack.”

Several systems were rendered unusable due to the ransomware attack, and an investigation revealed that the hackers had gained access to data held on the impacted servers. The company shut down the servers and hired outside security firms to help with the response. 

Casio created a task force to work on restoring the internal systems that were affected, and the company notified police in Japan of the incident on October 6. Officials also contacted Japan’s Personal Information Protection Commission on October 7.  

As of Friday, Casio said it believes the personal information of temporary and contract employees was leaked. The personal information of employees at affiliated companies was also exposed alongside data from business partners, people who have interviewed for jobs at the company in the past and some customers “who use services provided by the Company and some of affiliated companies.”

Casio did not outline what specific data was taken from each group but said customer credit card information was not included. 

The statement adds that information related to contracts, invoices and sales related to current and former business partners as well as Casio affiliates was also leaked during the attack. 

Internal legal documents and data on human resource planning, audits, sales, technical information and more may have been accessed by the hackers. 

“Please be aware that there is a possibility that your personal information may be misused to send you unsolicited e-mails such as phishing e-mails or spam e-mails. If you receive any suspicious e-mails, please do not open it and delete it,” Casio said. 

The company also asked that stolen information not be spread through social media because it “could increase the damage caused by the leak of information on this case, violate the privacy of those affected, have serious effects on their lives and businesses, and encourage crime.”

The attack was claimed by the “Underground” ransomware gang on Thursday. The hackers said they stole 204.9 GB of data from the company and offered samples of what was taken to prove its legitimacy. 

Researchers said the group first emerged in July 2023 and several experts explained that it seems to have links to the Russia-based RomCom cybercrime group. 

Fortinet noted that the group has listed 16 victims, with most based in the U.S. and Europe. Microsoft published a report last year outlining the operations of RomCom, which they said is “known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations.” 

“[The group] operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022,” the company said. 

“Identified ransomware attacks have impacted the telecommunications and finance industries, among others.”

Microsoft added that they found “significant code overlaps” with the Industrial Spy ransomware which they believe means Underground is a rebrand of the same operation.