TinyPulse and Nintendo: Nintendo Acknowledges Employee Data at Risk After Third-Party Service Breach

Nintendo Confirms Data Breach via Third-Party Service, Employee Information Exposed

Nintendo has disclosed a data breach involving employee information after the extortion group ShadowByt3$ claimed to have compromised its systems. The company clarified that its own servers remained secure, but a vulnerability in TinyPulse, a third-party employee survey platform, led to the exposure.

The hackers demanded a $2 million ransom to prevent the release of sensitive data, including names, email addresses, bank records, survey responses, performance evaluations, and details on top-performing staff. While Nintendo confirmed no customer or financial data was accessed, the leaked information primarily older survey content could still pose risks.

Unlike previous high-profile breaches, such as the 2020 Gigaleak or Teraleak incidents, this incident does not involve game development assets or intellectual property. Nintendo stated it does not intend to negotiate with the extortion group and expects the data to be published online. The company is working with TinyPulse to address the issue.

The breach follows past criticism of Nintendo of America’s handling of temporary worker contracts, raising concerns about potential internal disclosures in the leaked survey data. No further details on the extent of the exposure have been released.

Source: https://www.ign.com/articles/nintendo-acknowledges-employee-data-at-risk-after-third-party-service-breach

Nintendo cybersecurity rating report: https://www.rankiteo.com/company/nintendo

WebMD Health Services cybersecurity rating report: https://www.rankiteo.com/company/webmd-health-services

"id": "NINWEB1781692782",
"linkid": "nintendo, webmd-health-services",
"type": "Vulnerability",
"date": "5/2020",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"

{'affected_entities': [{'customers_affected': '0 (no customer data exposed)',
                        'industry': 'Video Games',
                        'name': 'Nintendo',
                        'type': 'Company'}],
 'attack_vector': 'Third-Party Vulnerability',
 'customer_advisories': 'Confirmed no customer data was exposed',
 'data_breach': {'data_exfiltration': 'Yes (threatened by extortion group)',
                 'personally_identifiable_information': 'Names, email '
                                                        'addresses, bank '
                                                        'records',
                 'sensitivity_of_data': 'High (personally identifiable '
                                        'information, bank records)',
                 'type_of_data_compromised': ['Employee information',
                                              'Survey responses',
                                              'Performance evaluations']},
 'description': 'Nintendo disclosed a data breach involving employee '
                'information after the extortion group *ShadowByt3$* claimed '
                'to have compromised its systems. The breach occurred due to a '
                'vulnerability in *TinyPulse*, a third-party employee survey '
                "platform, and did not involve Nintendo's own servers. The "
                'hackers demanded a $2 million ransom to prevent the release '
                'of sensitive data, including names, email addresses, bank '
                'records, survey responses, performance evaluations, and '
                'details on top-performing staff. Nintendo confirmed no '
                'customer or financial data was accessed, and the company does '
                'not intend to negotiate with the extortion group.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'employee data exposure',
            'data_compromised': 'Employee information (names, email addresses, '
                                'bank records, survey responses, performance '
                                'evaluations, details on top-performing staff)',
            'identity_theft_risk': 'Potential risk due to exposure of '
                                   'personally identifiable information',
            'payment_information_risk': 'Potential risk due to exposure of '
                                        'bank records',
            'systems_affected': 'TinyPulse employee survey platform'},
 'initial_access_broker': {'entry_point': 'TinyPulse third-party service',
                           'high_value_targets': 'Employee information, '
                                                 'performance evaluations'},
 'investigation_status': 'Ongoing',
 'motivation': 'Extortion',
 'post_incident_analysis': {'root_causes': 'Vulnerability in third-party '
                                           'service (TinyPulse)'},
 'ransomware': {'data_exfiltration': 'Yes (threatened)',
                'ransom_demanded': '$2 million',
                'ransom_paid': 'No'},
 'references': [{'source': 'Nintendo Public Disclosure'}],
 'response': {'communication_strategy': 'Public disclosure of the breach',
              'third_party_assistance': 'Working with TinyPulse to address the '
                                        'issue'},
 'threat_actor': 'ShadowByt3$',
 'title': 'Nintendo Data Breach via Third-Party Service',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Vulnerability in TinyPulse employee survey '
                            'platform'}