Nintendo employee survey data stolen via third-party HR tool TinyPulse
Nintendo of America has confirmed that attackers stole internal employee data through TinyPulse, a third-party employee-survey service run by WebMD Health Services, after a threat actor calling itself SHADOWBYT3$ posted the haul and demanded a $2 million ransom. Nintendo says its own systems were not breached, no customer or financial data was touched, and the exposure is limited to internal survey content for a small subset of employees, mostly several years old. The attacker, however, claims to hold more, including bank statements and tax forms. The incident is a textbook third-party vendor breach affecting a major brand.
- Check
- Review which third-party HR and survey tools hold employee data, what they store, and how access is secured, and watch for phishing aimed at employees referencing surveys or HR programs.
- Affected
- Nintendo of America employees whose internal survey responses were exposed via the TinyPulse service; the threat actor claims additional data, which Nintendo has not confirmed.
- Fix
- Inventory and risk-assess third-party tools holding employee data, require strong authentication and least-privilege access for vendor integrations, and minimize the sensitive data shared with such services.