Casio Keyed Up After Data Loss Hits Customers In 149 Countries

Japanese electronics giant Casio said miscreants broke into its ClassPad server and stole a database with personal information belonging to customers in 149 countries.

ClassPad is Casio’s education web app, and in a Wednesday statement on its website, the firm said an intruder breached a ClassPad server and swiped hundreds of thousands of “items” belonging to individuals and organizations around the globe.

As of October 18, the crooks accessed 91,921 items belonging to Japanese customers, including individuals and 1,108 educational institution customers, as well as 35,049 items belonging to customers from 148 other countries. If Casio finds additional customers were compromised, it promises to update this count.

The data included customers’ names, email addresses, country of residence, purchasing info including order details, payment method and license code, and service usage info including log data and nicknames. Casio noted that it doesn’t not retain customers’ credit card information, so presumably people’s banking info wasn’t compromised in the hack.

Casio detected the incident on Wednesday, October 11, following the failure of a ClassPad database within the company’s development environment. An employee discovered the incident while attempting to work in the corporate dev environment and spotted the database failure. Evidence suggests that the attacker accessed customers’ personal information a day later, on October 12.

The exposed data includes customer names, email addresses, countries of residence, service usage details, and purchase information such as payment methods, license codes, and order specifics.

Casio says that credit card information was not stored within the compromised database.

As of October 18, the attackers accessed 91,921 items belonging to Japanese customers (including individuals and 1,108 educational institution customers) and 35,049 records belonging to customers from 148 countries and regions outside Japan.

“At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management,” the company said.

“Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access.”

ClassPad still online, previous breach claims

Although the compromised database is currently “inaccessible to external entities,” the ClassPad.net app remains operational. Casio clarified that the hackers did not infiltrate systems beyond the compromised database within the development environment. The intruder didn’t access the ClassPad.net app, according to Casio, so that is still available for use.

“At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management,” the official notice said.

“Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access.”

In response to the problem, Casio has blocked outside access to all databases in the development environment that were targeted by the attackers. The Japanese giant also said it’s working with external cybersecurity and forensics experts to conduct an internal investigation to find the underlying causes of the incident and draw up countermeasures in response to the breach.

On Monday, October 16, Casio reported the incident to Japan’s Personal Information Protection Commission and JUAS, the PrivacyMark certification organization, and is also collaborating with law enforcement authorities, assisting with their breach investigation.

All customers whose personal information may have been accessed will be contacted, it promised, and Casio will also respond to inquiries via this contact form.

Casio’s breach follows several other high-profile data heists disclosed this week, including a second batch of stolen data from 23andMe being leaked on a cybercrime data. It appears to be the same criminal who broke into the biotech company and leaked profile data two weeks ago.

In early August, a threat actor (known as thrax) claimed to have leaked over 1.2 million user records on the BreachForums cybercrime forum, allegedly stolen from a Remote Desktop Services (RDS) server with older casio.com databases.

The allegedly stolen information contains entries up to July 2011, AWS keys, and database credentials.

“This DB is kinda old as hell, but believe it or not, this was dumped from a live RDS server today. If anyone wants the AWS keys (with some pretty juicy permissions, S3 bucket access, etc.) and database credentials, etc., DM me,” the threat actor said.

“A user who I gave the AWS keys to has managed to find another database. After looking into this database, the newest date I could reference was January 2006, another old database.”

A Casio spokesperson was not immediately available for comment when contacted  earlier today to provide additional details regarding the October incident and to confirm thrax’s claims.


* This article was  expanded from The Register and Bleeping Computer.

Be the first to comment

Leave a comment: