Kavi Sivasothy
Associate
Article
Pokémon is a generationally-spanning cultural marker. Whether you're 50 or five, you probably have a memory of playing a Pokémon video game, collecting and trading Pokémon cards, or watching Pokémon reruns on TV.
And anyone who's watched Pokémon knows that Ash never negotiated with Team Rocket, the recurring villainous trio who were determined to steal Pikachu from our hero Pokémon trainer.
While this is pure speculation and we have no actual knowledge of what occurred, it appears that Game Freak, which has made the Pokémon video games for decades, may have similarly refused to negotiate with hackers who we do know breached Game Freak's databases and extracted extremely sensitive information and high value data.
According to publicly available reports, in August 2024, Game Freak suffered a security breach from a third-party actor.[1] Game Freak confirmed the breach to the public in early October, around the same time leaks began appearing on various forums.[2] The breadth of the leaks remains unclear, but per Game Freak's own statement the breach included exfiltration of employee information.[3] Analysis by those who have accessed the gigabytes of leaked files suggests it also contains game design assets and code for past and future game releases.[4]
It is not certain whether a ransom was in fact demanded, but this scenario provides an interesting lead-in to this article. It is often the case that, prior to the release of sensitive information of the victims, hackers make a ransom demand, with the threat that if the ransom is not paid, they will publicize the information.
So, if we assume (solely for the purposes of this article and without any actual knowledge or verification) that the hackers did make a ransom demand to Game Freak, and Game Freak refused to negotiate or meet the asking price despite the evident risk of extremely sensitive and highly valuable information being leaked to the public, we should ask ourselves "why."
Now, not every organization can just say "no" to a ransom demand. A hospital has to consider very different factors than a dry-cleaner. But regardless of what business they are in, there are core steps every organization should be proactive in taking to maximize their opportunity to say "no" when being extorted by a hacker.
Resiliency to a ransomware attack is developed iteratively, with implementation of a plan followed by testing and coaching, and revisions as needed. But ideally, an organization should be able to check off the following:
If an incident occurs, organizations must be prepared to move quickly to corral the key information and act on it. Some questions an organization must be prepared to immediate address include:
Dealing with a ransomware attack can be a surreal experience, and it can feel like being robbed at gunpoint by a ghost. Organizations that may be used to making decisions over days or weeks must be able to act within hours. Having a crisis roadmap and the capacity to quickly scan and identify what happened can significantly enhance the ability of an organization to react to the threat, however it manifests.
If Game Freak was asked for a ransom and did refuse to pay, such a decision would not have been easy and would have required balancing the risks and benefits of having invaluable and sensitive information stolen against the business expediency of recovering assets by paying the ransom.
It is important to note that organizations that suffer a breach do not need to fend for themselves. There is an entire industry that has grown in response to the rise in cyber security incidents. Breach coaches (who are often lawyers), as well as forensic investigators and negotiators, can offer immediate advice and expertise to organizations to help orient them in the crisis. Law enforcement and regulators are also often prepared to offer assistance when asked. But these resources are reactive, and the better prepared an organization can be in advance of a crisis, the easier it can be to know when to just say "no."
[1] https://www.darkreading.com/cyberattacks-data-breaches/insider-info-pokemon-allegedly-leaked-gaming-hack
[2] https://www.infosecurity-magazine.com/news/pokemon-developer-game-freak-data/
[3] https://www.gamefreak.co.jp/wordpress/wp-content/uploads/2024/10/info20241010.pdf?ref=blogapp.bitdefender.com – Japanese text
[4] https://nintendoeverything.com/pokemon-game-freak-hack-leak-synapse-ilca/
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.