Nintendo's Data Stolen in Third-Party Cyberattack

What Happened

The video game giant Nintendo is in the news for a cybersecurity incident. However, this incident is not of the kind we often see. Nintendo of America made a specific statement to the technology and cybersecurity news site BleepingComputer, confirming that it was affected by a data breach. The heart of the issue does not lie with Nintendo's own servers or network infrastructure. The source of the problem is a third-party service used in the company's internal operations, TinyPulse.

TinyPulse is a survey platform that companies use to measure employee satisfaction and feedback. Nintendo, like many other modern companies, was using such a service to gauge the pulse of its employees and improve corporate culture. This very service was subjected to a cyberattack, and the attackers gained access to the data held on the platform. According to Nintendo's statement, this data included their own survey information. This situation once again highlights a risk that is becoming increasingly important in the modern business world: supply chain or third-party risk. No matter how robust a company's own firewalls are, a vulnerability in another company it collaborates with or receives services from can indirectly affect it. The Nintendo case stands as a concrete example of how the weakest link in this chain can put the entire structure at risk.

The Data Seized

The most critical point of the breach is what data was stolen. According to Nintendo's statement to BleepingComputer, the data seized by the attackers is described as "survey data" collected via the TinyPulse platform. This is a rather broad definition, but its content can be inferred from the nature of the service. Platforms like TinyPulse typically collect employees' thoughts on their workplace, managers, company policies, and overall satisfaction levels. These surveys are often conducted anonymously so that employees can express themselves more freely.

There has been no clear statement on whether the stolen data pertains to specific surveys or if it contains Personally Identifiable Information (PII). However, such survey data, while not appearing as dangerous as financial data or customer information at first glance, can be quite sensitive. Information about the company's internal dynamics, employee morale, potential management issues, and clues about strategic plans can be extracted from this data. If the data is not anonymous or contains metadata that could break anonymity, the opinions of specific employees could also be exposed. This could both damage the internal environment of trust and be used by rival firms or malicious actors. Nintendo has refrained from providing more details about the nature of the stolen data, so uncertainty remains regarding the number of affected employees or the size of the dataset.

How the Attack Occurred

Let's get to the technical aspect of the incident. The attack was not directly aimed at Nintendo. The target was the company that provides the TinyPulse service, a subsidiary of WebMD. According to BleepingComputer's report, the attack was carried out on TinyPulse's systems, and Nintendo was indirectly affected. The technical details of how exactly the attack happened, which security vulnerability was exploited, or for how long the attackers had access to the system have not yet been shared with the public.

Typically, such third-party attacks occur through methods like misconfigured cloud servers, zero-day vulnerabilities in software, weak authentication mechanisms, or the compromise of an authorized employee's credentials via phishing attacks. However, since no specific statement has been made by Nintendo or the company operating TinyPulse, commenting on the vector of the current attack would be mere speculation. The only known fact is that the attackers managed to bypass TinyPulse's defenses and access customer data, including Nintendo's survey data. This incident serves as a stark reminder that the security of a service provider is synonymous with the security of all its customers.

Who Is Affected

Those directly affected by this breach are the employees of Nintendo of America. The data provided by personnel who participated in internal satisfaction and feedback surveys is now in the hands of third parties. Whether the data is anonymous or not will be the most crucial factor in determining the extent of the impact. If the data can be linked to personal information, the employees who participated in these surveys could potentially be at risk.

Indirectly affected is Nintendo itself. Although the company emphasizes that its own systems are secure and its main operations are unaffected, its name being mentioned in a data breach is detrimental to its brand reputation. Reliability may be questioned by customers and business partners. Gamers or Nintendo console owners are not directly affected by this incident. The stolen data does not include customer data like gamer accounts, credit card information, or game saves. The breach is entirely related to the company's internal operations. Therefore, if you are a Switch user, there is currently no reason to be concerned.

What You Can Do

The actions you can take in such a situation depend on who you are. Due to the nature of the incident—namely, that the stolen data is employee surveys—no immediate action is required for the general Nintendo customer base.

• For Nintendo Gamers: This breach does not affect your player accounts or personal data. Nevertheless, as a good civil cybersecurity practice, enabling two-factor authentication (2FA) on your Nintendo account is always a good idea. This will keep your account more secure against future and unrelated attacks.
• For Nintendo Employees: If you are a Nintendo employee and participated in these surveys, it's wise to be cautious. Follow official announcements from your company's Human Resources or Security department. Although it's unclear whether the data contains personal information, be vigilant against suspicious emails or messages. Attackers might use the internal information they've obtained to craft more convincing spear-phishing attacks.
• For Other Companies: This incident serves as an important lesson for all companies. If your company uses third-party software or services, review the security standards of these partners. Ensure your contracts with them cover data security and breach notification responsibilities. Remember that the weakest link in your supply chain is your security.

What the Company Says

Following the disclosure of the incident, Nintendo of America took a proactive approach and issued a statement to BleepingComputer. This statement was crucial for clarifying the situation and allaying concerns. Two key points stood out in the company spokesperson's statement.

First, Nintendo unequivocally confirmed that the data breach occurred at a third-party service provider, TinyPulse, and that its own survey data was stolen as a result. This is a positive step in terms of transparency. Instead of denying or trying to hide the problem, they acknowledged it.

The second and perhaps most important point was Nintendo's emphasis that its own systems were not affected by this attack. The statement clearly said, "Nintendo's networks or systems were not affected by this incident." This was an emphasis to clarify that the breach did not stem from a vulnerability in Nintendo's own security infrastructure but was entirely due to an issue in an external partner's systems. By doing so, the company aims to reassure its customers and investors and to convey the message that the incident poses no threat to its core operations. So far, there has been no public statement from TinyPulse or its parent company, WebMD, on the matter.

Source

https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/