Support road.cc

Like this site? Help us to make it better.

Shimano allegedly hit by massive ransomware attack threatening to release confidential data

The ransomware attackers claim to be in possession of 4.5TB of data belonging to the Japanese components giant, including information including factory inspection results, lab tests and financial documents

Shimano, the world's leading manufacturer of cycling components, seems to have been hit by a massive data breach by the ransomware attacker LockBit, who has threatened to release confidential data, including information such as factory inspection results, lab tests and financial documents by 5 November if their demands are not met.

LockBit is a major international cybercrime group that uses malware to breach global corporations' security protocols and attempts to extort money in exchange.

Its previous targets have included Royal Mail, with the British postal company's international services severely disrupted in January 2023 due to the attack. American aeroplane and missiles manufacturer Boeing is the latest victim of the group, with the company officially confirming the attack yesterday.

> Check your cranks! Shimano finally recalls 11-speed road cranksets after more than 4,500 incidents

The reports of the attack on Shimano emerged after a cyber security group FalconFeeds.io posted a screenshot obtained from the dark web on Thursday evening, showing that the hackers have access to 4.5TB of data belonging to the Japanese manufacturer of cycling components, fishing tackle and rowing equipments.

The allegedly stolen data includes confidential employee details, financial documents, client database and other crucial information such as factory inspection results (violations), reports from production, confidential diagrams/drawings, development materials, laboratory tests, and more.

At the bottom of the screenshot, it says: "All available data will be published!". The deadline set by the hackers is 05 November 18:34 UTC.

When road.cc reached out to Shimano for comment, a spokesperson for the company said: “This is an internal matter at Shimano, and we cannot comment on anything at this time.”

The screenshot, however, is consistent with other victim organisations targeted on the ransom website of the LockBit 3.0 variant.

> Bike industry turmoil: Shimano says global cycling market remains “weak” as segment sales fall by a quarter – and worse to come?

Shimano has recently been under global scrutiny since its recall programme for 760,000 Dura-Ace and Ultegra bonded 11-speed road cranksets in North America.

Last month, a class-action lawsuit was filed against the company for providing "inadequate cranksets" which have put cyclists across the country at risk of injuries. The case alleged that Shimano, along with bike brands Specialized and Trek, were aware "for years" that the bonded components of Shimano Hollowtech II cranksets could break, yet waited until 21 September 2023 to announce a voluntary recall of the cranksets, produced between 2012 and 2019, citing a "possible bonding separation issue" in North America.

In the UK, and since our most recent investigation and news coverage on this issue was published, the Office for Product Safety and Standards (OPSS) published a product safety report that concluded the affected Shimano cranksets "do not meet the requirements of the General Product Safety Regulations 2005."

road.cc has also been hearing stories of cyclists whose Shimano Hollowtech cranksets were snapping underneath them for many years now, and had collaborated with Dr Mark Bingley, the Principal Lecturer and Programme Leader for Mechanical Engineering at the University of Greenwich, for further investigation and to better understand the issue.

> Investigating Shimano’s snapping cranksets: What happened, unanswered questions and an engineer's report

More recently, Shimano had commented about the continuing "weak" outlook of the global cycling market, as the company revealed that sales of bicycle components fell by a quarter during the opening nine months of the year. Figures also revealed that sales of bicycle components in the key European market are hardest hit, and are forecast to drop by half in the second half of 2023.

The LockBit group are meanwhile claimed to be based in the Netherlands, however there is speculation that it could've originated in eastern Europe or Russia. Three Russian nationals have previously been charged by the US Department of Justice (DOJ) for alleged participation in LockBit’s operations, with the DOJ describing the group as the creator of “one of the most active and destructive ransomware variants in the world."

Adwitiya joined road.cc in 2023 as a news writer after completing his masters in journalism from Cardiff University. His dissertation focused on active travel, which soon threw him into the deep end of covering everything related to the two-wheeled tool, and now cycling is as big a part of his life as guitars and football. He has previously covered local and national politics for Voice Cymru, and also likes to write about science, tech and the environment, if he can find the time. Living right next to the Taff trail in the Welsh capital, you can find him trying to tackle the brutal climbs in the valleys.

Add new comment

14 comments

Avatar
SecretSam | 1 year ago
2 likes

Maybe the crims own some of Shimano's disintegrating cranks.

Avatar
brooksby | 1 year ago
4 likes

If Shimano are infected with a ransomware malware thingy, does that mean you shouldn't use any of their electronic shifting tech "just in case"...?

Avatar
Matthew Acton-Varian replied to brooksby | 1 year ago
9 likes

You can't hack good old gear cables!

Avatar
hawkinspeter replied to brooksby | 1 year ago
10 likes
brooksby wrote:

If Shimano are infected with a ransomware malware thingy, does that mean you shouldn't use any of their electronic shifting tech "just in case"...?

I changed up a gear and it changed the channel on my telly!

Avatar
Bigfoz | 1 year ago
0 likes

Shimano reveals sales of components fallen by a 1/4... So is that across the global market for all manufacturers, or is this the impact on Shimano alone as people rush to buy other chainsets or are just put off by the catastrophic customer relations response to the crankset issue? 

Avatar
Secret_squirrel | 1 year ago
4 likes

Kinda Sucks to be Shimano this week.

Selfishly kinda hoping the source code for DI2 gets released so we can get some intrepid hackers breaking the artificial incompatabilities Shimano introduce every time they bump up the cogs at the back.  12sp DuraAce R9100 anyone?

Avatar
Jem PT | 1 year ago
7 likes

Surely they're just phishing???

Avatar
Pot00000000 replied to Jem PT | 1 year ago
3 likes

That's the reels department.

Avatar
Spammercial | 1 year ago
1 like

Nice...is the money they pay to get the data back, deductible from taxes? If yes...here we are...  1

Avatar
Miller | 1 year ago
4 likes

What a plague ransomware is becoming. My youngest son's school (!) was a victim at the beginning of this autumn term with impacts including being unable to provide proper school meals for the first two weeks of the term.

Avatar
andystow replied to Miller | 1 year ago
4 likes
Miller wrote:

What a plague ransomware is becoming. My youngest son's school (!) was a victim at the beginning of this autumn term with impacts including being unable to provide proper school meals for the first two weeks of the term.

What a shame that we've built such fragile systems that a school can't just fall back on however providing meals was done before computers.

Avatar
Miller replied to andystow | 1 year ago
3 likes

The trouble was that the tills were down and they had no way of accepting payment.

Avatar
andystow replied to Miller | 1 year ago
2 likes

So do it on paper until the problem's fixed, enter it into the computer later.

Avatar
ubercurmudgeon replied to Miller | 1 year ago
3 likes

All of the British Library's IT systems have been down all week for the same reason:

https://www.theguardian.com/books/2023/oct/31/british-library-suffering-...

Latest Comments