Cyber Incident Victim: JVCKenwood
Date:
Sep 2021
Location:
Japan
Summary
JVCKenwood suffered a Conti ransomware attack compromising servers at European sales subsidiaries, with threat actors claiming theft of 1.5 terabytes of data and demanding a $7 million ransom. The attackers provided a scanned employee passport as proof of access but no customer data leaks were confirmed. Conti, associated with the TrickBot cybercrime group, has previously targeted government entities, healthcare organizations, and industrial firms through similar ransomware campaigns. The company detected unauthorized access but had not engaged with the ransom demands at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 22, 2021, unauthorized access was detected on servers operated by several European sales subsidiaries of JVCKenwood, a multinational electronics corporation headquartered in Japan with annual revenue of $2.45 billion and approximately 17,000 employees. The company disclosed the breach eight days later in a September 30 press statement, confirming the intrusion affected sales companies in Europe but providing no evidence of compromised customer data at that stage. Attackers affiliated with the Conti ransomware operation subsequently claimed responsibility, asserting they had exfiltrated 1.7 terabytes of corporate data prior to deploying ransomware. The group demanded a $7 million ransom payment to prevent public release of the stolen files and to provide decryption tools for any encrypted systems. As proof of their claims, Conti operatives circulated a PDF containing a scanned passport belonging to a JVCKenwood employee, though the company did not publicly verify the authenticity of this document.
The Conti group, which cybersecurity authorities associate with the TrickBot malware operation and affiliated threats like BazarBackdoor, leveraged their established network compromise tactics to breach JVCKenwood's infrastructure. Their ransom note specified the 1.5TB data theft figure alongside the financial demand, though discrepancies emerged between the gang's claimed 1.7TB exfiltration and the 1.5TB referenced in payment negotiations. JVCKenwood's subsequent lack of communication with the attackers, observed following the initial proof-of-hack publication, indicated a probable decision against ransom payment. Conti had previously executed high-impact attacks against municipal, healthcare, and critical infrastructure targets including Ireland's Health Service Executive and the City of Tulsa, prompting a joint cybersecurity advisory from the FBI, CISA, and NSA regarding their escalating operations. The incident disrupted JVCKenwood's European sales operations, though the company's disclosure emphasized ongoing investigations without confirming operational or data loss impacts beyond the acknowledged server breach.