Share this article on:
Japanese watch and electronics manufacturer Casio has notified customers from 149 countries that it had suffered a data breach.
On 12 October, Casio discovered evidence to suggest that a threat actor had gained access to personal customer data on its systems, a day after it discovered that a database for its ClassPass education platform had failed within its development environment.
According to the company, the threat actor gained access to 91,921 records within Japan alone, belonging to both individuals and 1,108 educational institutions. The attackers accessed an additional 35,049 records belonging to customers in an additional 148 countries.
The data accessed in the incident was extensive, including customer names, email addresses, countries of residence, service usage information and purchase information, including order details, payment methods and license codes.
Credit card information was not compromised in the breach, as Casio doesn’t store that information on the affected database.
The company said that the breach likely came after the company disabled some of its network security measures in light of the database failure.
“At this time, it has been confirmed that some of the network security settings in the development environment were disabled due to an operational error of the system by the department in charge and insufficient operational management,” the company said in an official statement.
“Casio believes these were the causes of the situation that allowed an external party to gain unauthorised access.”
Responding to the breach, Casio has disabled access to all databases within the targeted development environment to anyone from outside it.
The company has also reported the breach to the Personal Information Protection Commission in Japan and to the Japan Users Association of Information Systems (JUAS).
“Casio will continue to consult with and engage an external security specialist organisation to conduct further internal investigations, analyse the root causes, and devise appropriate countermeasures in response to this incident,” the company added.
“Casio will also engage an external law firm to consider potential legal steps, including interfacing with the authorities. In addition, Casio is also consulting with the police and will cooperate with the investigation.”
The company is in the process of contacting customers affected by the incident by email.
Casio has been plagued by cyber troubles, having suffered another attack only months ago in August, when a hacker going by the name “thrax” posted on a cyber crime forum that he had leaked the records of over 1.2 million Casio users.
The records the hacker leaked were reportedly from an older casio.com database, with data including AWS, database credentials and data entries from as early as July 2011.