You don't negotiate with Team Rocket: How Game Freak may have responded to a cyber attack

Pokémon is a generationally-spanning cultural marker. Whether you're 50 or five, you probably have a memory of playing a Pokémon video game, collecting and trading Pokémon cards, or watching Pokémon reruns on TV.

And anyone who's watched Pokémon knows that Ash never negotiated with Team Rocket, the recurring villainous trio who were determined to steal Pikachu from our hero Pokémon trainer.

While this is pure speculation and we have no actual knowledge of what occurred, it appears that Game Freak, which has made the Pokémon video games for decades, may have similarly refused to negotiate with hackers who we do know breached Game Freak's databases and extracted extremely sensitive information and high value data.

According to publicly available reports, in August 2024, Game Freak suffered a security breach from a third-party actor.^[1] Game Freak confirmed the breach to the public in early October, around the same time leaks began appearing on various forums.^[2] The breadth of the leaks remains unclear, but per Game Freak's own statement the breach included exfiltration of employee information.^[3] Analysis by those who have accessed the gigabytes of leaked files suggests it also contains game design assets and code for past and future game releases.^[4]

It is not certain whether a ransom was in fact demanded, but this scenario provides an interesting lead-in to this article. It is often the case that, prior to the release of sensitive information of the victims, hackers make a ransom demand, with the threat that if the ransom is not paid, they will publicize the information.

So, if we assume (solely for the purposes of this article and without any actual knowledge or verification) that the hackers did make a ransom demand to Game Freak, and Game Freak refused to negotiate or meet the asking price despite the evident risk of extremely sensitive and highly valuable information being leaked to the public, we should ask ourselves "why."

Now, not every organization can just say "no" to a ransom demand. A hospital has to consider very different factors than a dry-cleaner. But regardless of what business they are in, there are core steps every organization should be proactive in taking to maximize their opportunity to say "no" when being extorted by a hacker.

Resiliency to a ransomware attack is developed iteratively, with implementation of a plan followed by testing and coaching, and revisions as needed. But ideally, an organization should be able to check off the following:

1. Maintain up-do-date IT environments and robust backup solutions. Organizations will have to balance the costs and risks when determining what works for them. At minimum, ensuring personnel are adhering to best practices in using the organization's equipment, and patching known exploits as soon as possible can significantly reduce the risk of the organization suffering an incident at all. Compartmentalizing various aspects of the business's operations can also help with trying to limit the damage a hack may cause.
2. Ensure all personnel are aware of best security practices. A chain is only as strong as its weakest link. Social engineering remains an extremely effective way for hackers to get into systems. Organizations should be proactive in keeping everyone with access to its IT environment apprised of common red flags can help stymie a hack attempt or at least flag suspicious behaviour to be traced.
3. Identify the crown jewels. Know what an organization cannot afford to lose or have disclosed (such as employee information, or intellectual property and other proprietary assets), and ensure this data is stored and backed up separately. To the extent public disclosure can have a legal or commercial impact (for instance trade secrets or unpatented inventions), this should be accounted for in any incident response plan.
4. Have insurance coverage. Particularly, policies that apply to cyber security incidents. Organizations will have to determine the level of risk they are comfortable with (and the attendant premiums), but a good policy should account for direct and consequential expenses, including the costs of forensic investigators and legal counsel. Knowing the requirements to trigger a policy is also important. Some policies require the insurer to sign off on major decisions, including legal counsel, and that can be a roadblock during a crisis if it isn't anticipated beforehand.
5. Identify relevant stakeholders. Know who needs to be informed of an incident. There will often be privacy-related reporting obligations, which can vary across jurisdictions. There may also be contractual requirements with vendors or clients to keep them apprised of any breach. Having an up-to-date list of what needs to be reported, and to whom, can save critical crisis-response time for the organization.
6. Have a crisis roadmap. All the steps above should be accounted for in the crisis roadmap. Have a script setting out initial response steps, including a clear decision-making structure which will allow you to move quickly in making authorizations and key decisions to respond to the incident. Many decisions will need to be made in the wake of an incident that would not be part of the business's normal operations, and the risk of paralysis can be very real.

If an incident occurs, organizations must be prepared to move quickly to corral the key information and act on it. Some questions an organization must be prepared to immediate address include:

1. What happened? Has data only been encrypted, or has it been extracted? Are threat actors still actively in the IT environment and monitoring communications? Can the encrypted data be restored independently of the threat actors? Knowing what happened is essential for knowing how to use the crisis roadmap.
2. Who needs to know what, and when? If data has been ex-filtrated or frozen, who needs to be alerted immediately and who can be informed later? Which law enforcement or regulatory authorities need to be looped in, and when? Is there an insurance policy that requires notice to the insurer?
3. Is there a ransom demand, and can/should we even pay it? It is not strictly speaking illegal to pay a ransom demand, but organizations must be mindful of whether the threat actors they are dealing with are on any sanction lists which could criminalize payments. Even if it is not on a sanctions list, the trustworthiness of threat actors can vary significantly – with some having reputations of keeping their word and others being less predictable.
4. What is the business and legal risk? What is the business loss if the data remains encrypted or is exposed? What legal jeopardy will the organization be in if the data has been exposed? From whom?

Dealing with a ransomware attack can be a surreal experience, and it can feel like being robbed at gunpoint by a ghost. Organizations that may be used to making decisions over days or weeks must be able to act within hours. Having a crisis roadmap and the capacity to quickly scan and identify what happened can significantly enhance the ability of an organization to react to the threat, however it manifests.

If Game Freak was asked for a ransom and did refuse to pay, such a decision would not have been easy and would have required balancing the risks and benefits of having invaluable and sensitive information stolen against the business expediency of recovering assets by paying the ransom.

It is important to note that organizations that suffer a breach do not need to fend for themselves. There is an entire industry that has grown in response to the rise in cyber security incidents. Breach coaches (who are often lawyers), as well as forensic investigators and negotiators, can offer immediate advice and expertise to organizations to help orient them in the crisis. Law enforcement and regulators are also often prepared to offer assistance when asked. But these resources are reactive, and the better prepared an organization can be in advance of a crisis, the easier it can be to know when to just say "no."

---