Shimano allegedly hit by massive ransomware attack threatening to release confidential data

Shimano, the world's leading manufacturer of cycling components, seems to have been hit by a massive data breach by the ransomware attacker LockBit, who has threatened to release confidential data, including information such as factory inspection results, lab tests and financial documents by 5 November if their demands are not met.

LockBit is a major international cybercrime group that uses malware to breach global corporations' security protocols and attempts to extort money in exchange.

Its previous targets have included Royal Mail, with the British postal company's international services severely disrupted in January 2023 due to the attack. American aeroplane and missiles manufacturer Boeing is the latest victim of the group, with the company officially confirming the attack yesterday.

> Check your cranks! Shimano finally recalls 11-speed road cranksets after more than 4,500 incidents

The reports of the attack on Shimano emerged after a cyber security group FalconFeeds.io posted a screenshot obtained from the dark web on Thursday evening, showing that the hackers have access to 4.5TB of data belonging to the Japanese manufacturer of cycling components, fishing tackle and rowing equipments.

LockBit #ransomware group has added Shimano (https://t.co/VHmuqVE8BG) to their victim list. They claim to have access to 4.5TB of organizations data.#Japan #lockbit #darkweb #databreach #cyberattack pic.twitter.com/s3K6OvciR8

— FalconFeeds.io (@FalconFeedsio) November 2, 2023

The allegedly stolen data includes confidential employee details, financial documents, client database and other crucial information such as factory inspection results (violations), reports from production, confidential diagrams/drawings, development materials, laboratory tests, and more.

At the bottom of the screenshot, it says: "All available data will be published!". The deadline set by the hackers is 05 November 18:34 UTC.

When road.cc reached out to Shimano for comment, a spokesperson for the company said: “This is an internal matter at Shimano, and we cannot comment on anything at this time.”

The screenshot, however, is consistent with other victim organisations targeted on the ransom website of the LockBit 3.0 variant.

> Bike industry turmoil: Shimano says global cycling market remains “weak” as segment sales fall by a quarter – and worse to come?

Shimano has recently been under global scrutiny since its recall programme for 760,000 Dura-Ace and Ultegra bonded 11-speed road cranksets in North America.

Last month, a class-action lawsuit was filed against the company for providing "inadequate cranksets" which have put cyclists across the country at risk of injuries. The case alleged that Shimano, along with bike brands Specialized and Trek, were aware "for years" that the bonded components of Shimano Hollowtech II cranksets could break, yet waited until 21 September 2023 to announce a voluntary recall of the cranksets, produced between 2012 and 2019, citing a "possible bonding separation issue" in North America.

In the UK, and since our most recent investigation and news coverage on this issue was published, the Office for Product Safety and Standards (OPSS) published a product safety report that concluded the affected Shimano cranksets "do not meet the requirements of the General Product Safety Regulations 2005."

road.cc has also been hearing stories of cyclists whose Shimano Hollowtech cranksets were snapping underneath them for many years now, and had collaborated with Dr Mark Bingley, the Principal Lecturer and Programme Leader for Mechanical Engineering at the University of Greenwich, for further investigation and to better understand the issue.

> Investigating Shimano’s snapping cranksets: What happened, unanswered questions and an engineer's report

More recently, Shimano had commented about the continuing "weak" outlook of the global cycling market, as the company revealed that sales of bicycle components fell by a quarter during the opening nine months of the year. Figures also revealed that sales of bicycle components in the key European market are hardest hit, and are forecast to drop by half in the second half of 2023.

The LockBit group are meanwhile claimed to be based in the Netherlands, however there is speculation that it could've originated in eastern Europe or Russia. Three Russian nationals have previously been charged by the US Department of Justice (DOJ) for alleged participation in LockBit’s operations, with the DOJ describing the group as the creator of “one of the most active and destructive ransomware variants in the world."