Nintendo of America has confirmed a data security incident involving an external employee -engagement platform used for conducting internal surveys. This highlights the growing cybersecurity risks associated with third-party workplace tools.
The breach reportedly occurred through TinyPulse, an employee feedback and engagement platform owned by WebMD Health Services. Nintendo clarified that its own internal systems were not compromised and that the incident was limited to information hosted on the external service.
The issue came to light after a cybercriminal group known as Shadowbyt3$ claimed responsibility for the breach. The group alleged that it had accessed and exfiltrated sensitive employee information, including financial documents and tax-related records. It also reportedly demanded a ransom of $2 million.
Nintendo, however, has disputed the extent of the exposure. The company stated that its investigation found that the accessed data was limited to internal survey responses belonging to a small group of employees and dated back several years. It further emphasised that no customer information, payment data or financial records maintained by Nintendo had been affected.
The company has also indicated that there is no evidence suggesting a compromise of its own networks or infrastructure. It is currently working with the third-party service provider to investigate the incident and strengthen security measures.
Reportedly, the threat group claims to have obtained around one gigabyte of data. However, the authenticity and scope of the allegedly stolen information have not been independently verified.
The incident underscores the growing challenges organisations face in managing cybersecurity risks across an expanding ecosystem of third-party vendors and workplace technology platforms. As companies increasingly rely on external tools for employee engagement, surveys and workforce management, experts continue to stress the importance of rigorous vendor-risk assessments, data governance and cybersecurity oversight.
The breach serves as a reminder that vulnerabilities in third-party systems can create significant reputational and employee-trust concerns, even when an organisation’s core systems remain unaffected.
