A ransomware attack on Shimano could lead to its future designs being leaked to competitors, a cybersecurity expert said.
Last week, he reported Mass escape Among others, the Japanese manufacturer of bicycle parts and fishing tools was targeted by the LockBit ransomware group, which threatened to release 4.5 TB of sensitive data on November 5, 2023, at 18:34:13 UTC. It is not known if the situation was resolved Sunday, but investigations are continuing, as of Tuesday.
The full ransom notice is listed on Ransomlook.io, an open source project that hopes to help those tracking ransomware-related posts and activity across various websites and forums.
The hack notification claims that the group has breached highly sensitive data, including:
– Employee information, including identification, Social Security numbers, addresses, and passport scans
– Financial documents including balance sheets, profit and loss reports, bank statements, and various tax forms and reports
– Customer data including addresses, internal documents, postal correspondence, confidential reports, legal documents and factory inspection results
– Other documents, including non-disclosure agreements, contracts, confidential drawings, development materials, and laboratory tests
Talking to Weekly cycling Dr. Harjinder Lally, a cybersecurity researcher at the University of Warwick, explained on Monday that the alleged cybercriminals are likely to leak information if the ransom is not paid, and that this could lead to intellectual property being transferred to competitors.
“The company is in a bit of a dilemma,” Dr. Lali said. “Sure, they might have backups. So they might think, well, it doesn’t matter that you have our designs, it’s not like we won’t be able to keep working, we’ll keep working.”
“What would really worry them is obviously the passport data gets leaked. The designs end up in the hands of competitors. And obviously there’s also all the financial data, which can reveal their financial situation as well. Whichever method you choose, look at it, This is not a good place for Shimano to be.”
Lockbit is a notorious cybercrime group that uses malware to compromise sensitive company data and then attempts to extort money in exchange for avoiding it being made public; According to Flashpoint, a cybersecurity company, it is responsible for 27.93% of all ransomware attacks. Other recent casualties include Royal Mail and Boeing.
“What cybercriminals will do is say, ‘Okay, we’re happy to give you the key, but you have to pay X amount in bitcoin,’” Dr. Lally explained. “So, they would have to pay that amount into an account, and then they would decrypt it, and get their data back.”
He continued: “What they usually do is threaten to leak it.” “In the case of the designs, the company obviously doesn’t want them to be leaked, because they’ve spent months and months, maybe years on them, getting them ready to go to market. And they’re basically leaking all of their IPs.” Competitors would be very interested if they were leaked. They will threaten to do so, unless they pay a Bitcoin ransom. “
When you call “This is an internal matter at Shimano, and is being investigated, but we cannot comment on anything at this time,” a Shimano spokesperson said last week.
This is not the company’s first headache this year. In September, Shimano first went through a recall of 760,000 cranks in the US and Canada after the Consumer Product Safety Commission raised concerns on September 21, 2023.
Since then, Shimano has launched a global “free inspection program” available for 2.8 million cranks sold between 2013 and 2019, but more importantly no “stop riding” notice has been issued outside of North America.
Shimano has been contacted for further comment.