Hackers release raft of stolen Shimano data online

The data stolen from Japanese componentry giant Shimano by ransomware hackers has been leaked online.

The hack and theft, which took place in early November, was first reported by Escape Collective, which then revealed the publication of the information, which has also been seen by Cycling Weekly on Friday.

The Japanese bike parts and fishing kit manufacturer was targeted by ransomware group LockBit, who were threatening to release 4.5 terabytes of sensitive data on November 5, 2023, at 18:34:13 UTC. It was then not known whether Shimano were attempting to reach an agreement with the cyber criminals or not; while the notice on the LockBit site suggested that the data had been published, it was not until this week.

The data, according to LockBit, included: employee details, including addresses and passport scans; financial documents, including bank statements and tax reports; "various confidential reports", and minutes; and also NDAs and "various diagrams/drawings marked CONFIDENTIAL".

The data that was revealed online, in various languages, across multiple folders, included spreadsheets with payroll details for thousands of employees, manufacturing data, and sales projections, alongside more mundane content like  presentations.

It now seems likely that Shimano did not pay up the ransom demand, but the company has not yet expanded on its original statement, which followed reports of the hack. At that time a spokesperson said: "This is an internal matter at Shimano, which is being investigated, however we cannot comment on anything at this time."

In the original ransom note from the LockBit group, they threated: “If you do not pay the ransom, we will attack your company again in the future."

Speaking to Cycling Weekly earlier this month, Dr Harjinder Lallie, a reader in cyber security at the University of Warwick, explained that the leak could result in intellectual property being passed to competitors.

"The company is in a bit of a conundrum," Dr Lallie said. "Sure, they might have backups. So they might think, well, it doesn't matter that you've got our designs, it's not like we won't be able to continue to function, we'll carry on functioning.

"The bit that they would be really nervous about is the passport data getting leaked out obviously. And the designs ending up in the hands of competitors. There's obviously all the financial data too, which could reveal their financial position as well. Whichever way you look at it, this isn't a good place for Shimano to be."

Shimano was contacted for further comment.