Japanese electronics colossus Casio Computer Co., Ltd. has suffered a data breach on its ClassPad education platform, impacting customers in 149 countries.
A technical failure on October 11, 2023, alerted Casio to the cyber intrusion that culminated in an unauthorized entity accessing the ClassPad development database on October 12, 2023.
Casio launched an investigation and confirmed that the data breach impacted thousands of domestic and international customers in most countries.
Human error caused the Casio data breach
Casio’s investigation found that operational errors disabled some network security settings within the development environment, granting an external party unauthorized access.
“Casio believes these were the causes of the situation that allowed an external party to gain unauthorized access,” the company admitted.
Development environments typically lack strong controls characteristic of production environments to facilitate testing or from oversight, making them easy pickings for cybercriminals.
“This data breach was caused by human error which led to a network and database compromise,” said Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4. “It’s important that any changes impacting cybersecurity be reviewed prior to implementation and that all security settings be periodically reviewed for accuracy.”
However, the attacker did not compromise systems other than the database in the development environment, thus leaving the ClassPad.net app accessible. Similarly, other systems did not have access to the database, thus spared from disruption.
“Casio has confirmed that there is no evidence of any unauthorized intrusion into assets other than the database in the development environment,” the company stated.
Meanwhile, Casio has restricted outsiders’ access to the compromised development database to prevent further exploitation.
“Currently, all databases in the development environment targeted by the attack are inaccessible to those outside the development environment,” said Casio.
Casio data breach impacted over 100,000 customers in 149 countries
While Casio responded promptly to prevent further exploitation, the cyber intruder had accessed 91,921 records from Japanese customers, including individuals and 1,108 educational institutions, and 35,049 records from other customers from 148 countries and regions.
According to Casio’s assessment, the data breach exposed customer names, email addresses, countries of residence, service usage details, and purchase information such as payment methods, license codes, and order specifics.
Casio reported the incident to Japan’s Personal Information Protection Commission on Monday, October 16, 2023, and is assisting law enforcement to investigate the data breach.
“Casio will continue to consult with and engage an external security specialist organization to conduct further internal investigations, analyze the root causes, and devise appropriate countermeasures in response to this incident.”
The electronics behemoth also promised to contact impacted customers and consider possible legal actions.
Similarly, the G-Shock, Edifice, and Sheen maker will review internal security and operational rules and conduct employee training to prevent future breaches.
Casio also advises customers to change their passwords, monitor their accounts for suspicious activity, and remain hyper-vigilant for phishing attacks attempting to collect more information or distribute malware.
Casio data surfaces on BreachForums
Meanwhile, a threat actor named ‘thrax’ on BreachForums is selling a database allegedly stolen from Casio. The database contains 476,420 user records, with the most recent entries dated 2011.
While acknowledging that the database is “kinda old as hell,” the seller claims it contains “AWS keys (with some pretty juicy permissions, S3 bucket access, etc.) and database credentials, etc.”
Additionally, the threat actor claims they provided access keys to another attacker who discovered a much older database, with the most recent entries dated 2006, containing approximately 800,000 users.
Neither Casio nor the threat actors confirmed whether the old databases were related to the recent data breach.