Hackers could leak Shimano's designs to competitors, cyber security expert says

The ransomware attack on Shimano could lead to its future designs being leaked to competitors, a cyber security expert has said.

Last week it was reported by Escape Collective among others that the Japanese bike parts and fishing kit manufacturer was targeted by ransomware group LockBit, who were threatening to release 4.5 terabytes of sensitive data on November 5, 2023, at 18:34:13 UTC. It is not known if the situation was resolved on Sunday, but investigations are ongoing, as of Tuesday.

The full ransom notice was listed on Ransomlook.io, which is as an open-source project hoping to assist those tracking ransomware-related posts and activities across various sites and forums. 

The hacking notice claims that the group has breached highly sensitive data, including: 

- Employee information, including identification, social security numbers, addresses and passport scans 

- Financial documents, including balance sheets, profit and loss reports, bank statements, various tax forms and reports 

- Client data, including addresses, internal documents, mail correspondence, confidential reports, legal documents and factory inspection results 

- Other documents, including non-disclosure agreements, contracts, confidential diagrams and drawings, development materials and laboratory tests

Speaking to Cycling Weekly on Monday, Dr Harjinder Lallie, a reader in cyber security at the University of Warwick, explained that the alleged cyber criminals could potentially leak the information if the ransom was not paid, and that this could result in intellectual property being passed to competitors.

"The company is in a bit of a conundrum," Dr Lallie said. "Sure, they might have backups. So they might think, well, it doesn't matter that you've got our designs, it's not like we won't be able to continue to function, we'll carry on functioning.

"The bit that they would be really nervous about is the passport data getting leaked out obviously. And the designs ending up in the hands of competitors. There's obviously all the financial data too, which could reveal their financial position as well. Whichever way you look at it, this isn't a good place for Shimano to be."

Lockbit are an infamous cybercrime group that uses malware to breach sensitive company data and then attempts to extort money in exchange for avoiding its public release; according to Flashpoint, a cyber security company, it is responsible for 27.93% of all ransomware attacks. Among other recent victims have been Royal Mail and Boeing.

"What the cyber criminals will be doing is saying: 'Well, we're happy to give you the key, but you have to pay X amount in Bitcoin'," Dr Lallie explained. "So, they would have to pay this much into an account, and then they would decrypt it, and have their data back."

"What they normally do is threaten to leak it out," he continued. "In the case of the designs, clearly the company does not want those leaked out, because they've spent months and months, possibly years on them, making them ready to go to market. And they're basically having all their IP leaked out. Competitors would be deeply interested if it does get leaked out. They'll threaten to do it, unless they pay a Bitcoin ransom. "

When contacted last week, a Shimano spokesman said, "This is an internal matter at Shimano, which is being investigated, however we cannot comment on anything at this time."

It is not the company's first headache this year. In September, Shimano was first made to recall 760,000 cranks in the United States and Canada after concerns were raised by the Consumer Product Safety Commission on the 21st of September 2023.

Since then, Shimano launched a global 'free inspection program' available for the 2.8 million cranks that were sold between 2013 and 2019, but crucially no 'stop ride' notice has been issued outside North America.

Shimano was contacted for further comment.