In a statement to BleepingComputer, Nintendo of America said that it was aware of an incident impacting TinyPulse, a third-party anonymous survey service for staff, which is owned by WebMD Health Services.
“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” the statement reads.
“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed."
"The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years.”
Nintendo of America said it was currently working with TinyPulse to resolve the issue.
The statement follows claims made by the Shadowbyt3$ threat group, which claimed to have stolen sensitive data belonging to Nintendo of America staff.
The group said that they stole almost 1 gigabyte of data from Nintendo, which includes employee personal information.
The group gave Nintendo 48 hours to begin negotiations, but was otherwise demanding US$2 million (roughly A$2.85 million).
"If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars," the threat group said.
The group also said that data includes names, email addresses, bank statements, W-9 forms with employee IDs, progress plans and reports from the last 10 years, and analytics and survey data.
“Check your inbox if you work for Nintendo and use TinyPulse or go login to TinyPulse if the URL in the leak looks familiar,” the threat actor added.
In another post, the group said that the incident “doesn’t affect Nintendo Gaming” but “a small amount of employees that work for Nintendo and have used TinyPulse."
It then posted a link to allegedly leaked data, including conversations and direct messages between employees, adding that there would be more victims. This suggests that Nintendo did not engage in negotiations.
Who is ShadowByt3$?
ShadowByt3$ is a self described “extortion as a service group” that began operation in October last year. While not much is known about the group, it leaks data of victims that do not pay, like a ransomware group. However, it is unclear if ransomware malware is used in their operations.
It says that in cases of payments, all stolen data “will be deleted permanently and you will not hear from us again”, a promise that threat actors do not always uphold and thus payment does not rule out further damage or continued pressure.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
