Nintendo confirms employee survey data stolen from third-party service

According to Bleeping Computer, Nintendo of America has confirmed that a data breach occurred via TinyPulse, a third-party service used for internal employee surveys, but stated that its own systems were not compromised.

The Shadowbyt3$ threat group claimed responsibility for the incident, alleging the exfiltration of sensitive employee data, including bank statements and W-9 forms. Nintendo, however, maintains that only internal survey content from a small subset of employees, dating back several years, was accessed. The company emphasized that no personal customer or financial data was compromised and that its own systems remain secure.

TinyPulse is an employee engagement and feedback platform owned by WebMD Health Services. Nintendo is working with the service provider to address the issue. The Shadowbyt3$ group, which describes itself as an extortion-as-a-service operation, demanded a $2 million ransom. While the group claims to have stolen approximately 1GB of data, BleepingComputer could not independently verify the authenticity of the leaked information. Law enforcement agencies generally advise against paying ransoms to cybercriminals.

Source: Bleeping Computer