Capcom has shared a statement regarding the ransomware attack it suffered in November 2020, confirming that its investigations are now complete and assuring customers that no credit card information has been compromised.
The message – a lengthy read that covers the entire timeline of events from November last year up until the present day – details the root cause of the attack itself and the security measures introduced by the company to ensure this doesn't happen again. It explains that the attack targetted an old VPN device located at its North American subsidiary, and that this device has already been removed from its network.
As for any at-risk personal data, Capcom says that no data relating to online transactions has been compromised and promises that "it remains safe for Capcom customers or others to connect to the internet to play or purchase the company's games online."
As described in previous announcements, none of the at-risk data contains credit card information. All online transactions etc. are handled by a third-party service provider on a separate system (not involved in this attack), and as such Capcom does not maintain any such information internally.
Additionally, the areas that were impacted in the incident are unrelated to those systems used when connecting to the internet to play or purchase the company's games online, which utilized and continue to utilize either an external third-party server or an external server (not involved in this attack). As such, these systems were outside the scope of the incident, and it remains safe for Capcom customers or others to connect to the internet to play or purchase the company's games online.
The company has noted that it is already notifying anyone whose personal or corporate information has been confirmed to have been compromised, and has set up avenues that allow anyone concerned to inquire about the situation: North America / EMEA.