Nintendo, Third-party Program Hit By Cyberattack For $2m Ransom

Tea Dating Advice app faces backlash over privacy and safety

The Tea Dating Advice app lets women review men and check backgrounds, but a data breach has ignited privacy concerns.

Nintendo, the worldwide videogame company experienced a cyberattack by a group called, "ShadowByt3$" that threatened to release employee information unless a two-day ransom of $2 million was paid.

Customers were not believed to be affected by the attack.

The cyberattack on Nintendo was first detected on Saturday, June 13, after the attacker, ShadowByt3$, claimed to have obtained employee information through a third-party group, TinyPulse, a WebMD Health Services Human Resources program for employee feedback/performance. Information stolen included names, surveys, analytics, bank statements, tax forms and more, according to the June 13 post from strategic cyber threat intelligence company, Hackrisk.io.

With the stolen 859 megabytes of employee information, the attacker requested a ransom of $2 million to be paid by Monday, June 15, or the information would be released.

The attacker made a second threat on Sunday, June 14, however, against the human resources program TinyPulse demanding the ransom to be paid by Tuesday, June 16, according to a June 16 "Kotaku" report.

"In this case, 'ShadowByt3$' reportedly adopted what cybersecurity experts refer to as 'triple extortion' tactics. Traditionally, ransomware attacks involved encrypting data and demanding payment for its release. Modern extortion groups have evolved their methods by first stealing sensitive data, then threatening to leak it publicly if payment is not made. Triple extortion goes a step further by targeting additional stakeholders connected to the victim organization," Cybersecurity Insiders said on Wednesday, June 17.

After the second threat, Nintendo released a statement on June 15 acknowledging the data breach and confirmed that employees were the only ones affected.

"We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed," Nintendo said in its statement posted on Nintendo Everything's website on June 16. "The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years. We appreciate our employees’ willingness to share their perspectives, take all feedback seriously, and take action when needed. We are working with the service provider to address the issue."

As of June Wednesday, June 17, no additional threats or negotiations between Nintendo and the attacker have been reported.

Investigations on the breach's impact are expected to continue, according to Cybersecurity Insiders.

The video game entertainment company Nintendo was first established in 1889 in Kyoto, Japan. In 1980, the wholly-owned subsidiary Nintendo of America was founded (covering North and South American markets) and is currently headquartered in Redmond, Washington.

Contact Sarah Moore @ smoore@lsj.com