Cyber Incident Victim: Casio
Date:
Oct 2023
Location:
Japan
Summary
A cybersecurity breach at Casio exposed personal data of customers across 149 countries via unauthorized access to a development environment database for its ClassPad.net education platform. The incident, attributed to disabled network security settings caused by operational errors and insufficient management, compromised names, email addresses, countries of residence, purchase details, and service usage information—excluding credit card data. Approximately 91,921 records from Japanese customers and 35,049 from international users were accessed. The company confirmed no broader system infiltration beyond the targeted database, reported the breach to Japanese authorities, and engaged external experts for investigation and security enhancements while maintaining normal app functionality.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 11, 2023, Casio Computer Co., Ltd. detected a database failure within the development environment supporting its ClassPad.net education platform, prompting an immediate assessment. The investigation revealed unauthorized external access to the compromised database on October 12, 2023, leading to the exfiltration of personal information belonging to customers across 149 countries. Forensic analysis determined that threat actors exploited disabled network security settings caused by an operational error and insufficient management protocols within the responsible department. The breach impacted 91,921 data items from Japanese customers—including 1,108 educational institutions—and 35,049 records from customers residing in 148 other countries and regions. Exposed information encompassed customer names, email addresses, countries of residence, service usage details (such as log data and nicknames), and purchase information including payment methods, license codes, and order specifics. Casio confirmed credit card data was not stored in the affected database. The company isolated the compromised development environment databases, rendering them inaccessible to external entities, though the ClassPad.net application remained operational with no evidence of intrusion beyond the targeted database.
Casio formally reported the incident to Japan’s Personal Information Protection Commission and the PrivacyMark certification organization (JUAS) on October 16, 2023, while coordinating with law enforcement authorities on investigative efforts. The company engaged external cybersecurity specialists and forensic experts to analyze root causes, devise countermeasures, and strengthen technical safeguards—including enhanced network route security and database protections. Operational reforms included revised security protocols and expanded employee training. Affected customers received direct notifications via email, with a dedicated inquiry channel established for breach-related concerns. Separately, an August 2023 claim by threat actor "thrax" regarding the leak of 1.2 million legacy Casio records—including AWS keys and database credentials allegedly extracted from a live Remote Desktop Services server—remained unconfirmed by Casio at the time of disclosure. The company issued public apologies for the operational failures enabling the October breach and committed to implementing comprehensive security management improvements to prevent recurrence.