Cyber Incident Victim: Koei Tecmo
Date:
Dec 2020
Location:
United Kingdom
Summary
A Japanese game developer experienced a data breach when a threat actor compromised its European subsidiary's forum via spear-phishing, stealing approximately 65,000 user records including email addresses, usernames, weakly encrypted passwords (using outdated salted MD5 hashing), IP addresses, dates of birth, and country information. The attacker initially attempted to sell the database and web shell access before leaking the data publicly, citing the company's failure to notify affected users within GDPR-mandated timelines and criticizing inadequate security practices. The compromised websites were taken offline, and internal network isolation was implemented for the subsidiary. The company confirmed no financial data was exposed and assessed no ransomware involvement, attributing the incident solely to forum access. The threat actor claimed motivations centered on enforcing data protection accountability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 18, 2020, a threat actor compromised Koei Tecmo's European subsidiary website (koeitecmoeurope.com) through a spear-phishing campaign targeting an employee. By December 20, the attacker advertised stolen data from a forum database containing approximately 65,000 user records on a hacker forum, offering to sell the database for 0.05 BTC (~$1,300) and web shell access for 0.25 BTC (~$6,500). The threat actor claimed to have obtained FTP credentials and Twitter account secrets through the web shell planted during the intrusion. On December 23, after Koei Tecmo removed the web shell without notifying affected users within 72 hours as required by GDPR, the attacker leaked the entire database publicly. The exposed data included forum members' email addresses, IP addresses, usernames, dates of birth, countries, and passwords hashed with a weak salted MD5 algorithm dating to 1992. Forensic analysis confirmed no financial information was stored in the compromised database.
Koei Tecmo detected the breach following the data leak and immediately took their American (koeitecmoamerica.com) and European websites offline on December 23, posting a maintenance notice citing potential cyberattack investigations. The company issued a formal breach advisory confirming unauthorized access to their UK subsidiary's forum user data but emphasized that only optional account names, encrypted passwords, and email addresses were impacted. Internal network segmentation was implemented to isolate the UK subsidiary (KTE) from corporate systems during the investigation. Koei Tecmo assessed the incident as non-ransomware related, noting no threats or demands were made by the attacker. The hacker justified the leak as retaliation for GDPR non-compliance and inadequate security practices, specifically criticizing the obsolete password hashing implementation. This incident occurred amid multiple 2020 cyberattacks against game developers including Crytek, Ubisoft, and Capcom, though Koei Tecmo's breach exclusively affected forum user data without disrupting game operations or corporate financial systems.