Nintendo of America has disclosed that employee survey data was exposed in a cyberattack targeting TinyPulse, a third-party employee engagement platform used for internal surveys. The company maintains that the incident was confined to the external service provider and did not affect Nintendo's internal systems or compromise any customer or financial information. The disclosure came after the threat actor Shadowbyt3$ publicly claimed responsibility and alleged theft of sensitive employee data.

TinyPulse is an employee engagement platform that provides anonymous surveys, workplace culture assessments, and feedback collection tools. Nintendo of America, which oversees operations in the United States, Canada, and parts of Latin America, used the service for internal employee surveys. The company stated it is working with TinyPulse to address the security incident.

According to Nintendo, the exposed data consists of internal survey content involving only a small subset of employees, with most information dating back several years. However, Shadowbyt3$ presents a different picture, claiming to have exfiltrated nearly 1GB of data that includes full names, email addresses, analytics and survey data, bank statements, W-9 forms with employee IDs, progress plans, and reports spanning from 2016 to 2026. The threat actor initially gave Nintendo 48 hours to enter negotiations before threatening to leak the information.

Shadowbyt3$ demanded a $2 million ransom payment and later clarified that the breach does not affect Nintendo gaming operations but impacts employees who used TinyPulse. In subsequent posts, the threat actor warned that more victims would emerge and published what they claim are leaked direct messages and employee conversations, suggesting Nintendo declined to pay the ransom demand.

Organizations using third-party employee engagement platforms should review their vendor security practices and data handling agreements. Companies should verify what employee information is stored by external survey providers and ensure appropriate security controls are in place. Affected Nintendo employees should monitor for potential identity theft or phishing attempts using the exposed information, particularly if personal details like W-9 forms were indeed compromised as claimed.

Source: https://thecyberexpress.com/tinypulse-cyberattack-nintendo/