Just about a week after Canon rolled out a full-on cybersecurity toolkit for small businesses across the US, the fan-favourite camera company’s revealed that it’s suffered two pretty serious ransomware attacks that’ve resulted in at least 10 terabytes of company-wide data being held up for an undisclosed ransom.
While Canon’s been pretty scant on the details of what data’s being held on the table here — and how many of its customers might be on the line — Bleepingcomputer reports that the first attack hit Canon’s internal systems, including its Microsoft teams and company email accounts, towards the tail end of last month. In the ensuing frackas, Canon ended up pulling roughly two dozen of its domains while it “investigated the issue.”
One of these domains just happened to be the site where Canon customers upload their public or not-so-public photos. For six days, the page was stuck showing status updates, before going live again yesterday, plastered with a handy company statement letting us know why they were MIA for the week:
On July 30, 2020, we identified an issue involving the 10GB long-term storage on image.canon. In order to conduct further investigation, we temporarily suspended both the mobile application and web browser service of image.canon.
After the investigation, we identified that some of the photo and video image files saved in the 10GB long-term storage prior to June 16, 2020 9:00am (JST) were lost. We confirmed that the still image thumbnails of the affected files were not affected, and there was no leak of image data.
Hmmm. So according to Canon, there wasn’t any “image data” leaked out here, despite also saying that “some of the photo and video image files” that were saved in its system were mysteriously lost.
Weirdly enough, despite the company-wide and photo-facing hacks happening around the same time, it looks like they’re unrelated since Maze — the ransomware gang behind the former heist — has said that it wasn’t one of their targets. That means that Canon is either really, really unlucky, or really, really bad at cybersecurity, or both.
We’ve reached out to Canon for additional comment and will update should we hear more, and if you have additional details reach out to me at swodinsky@gizmodo.com or anonymously via SecureDrop.
Editor’s Note: Release dates within this article are based in the U.S., but will be updated with local Australian dates as soon as we know more.