Shimano, the world's leading manufacturer of cycling components, seems to have been hit by a massive data breach by the ransomware attacker LockBit, who has threatened to release confidential data, including information such as factory inspection results, lab tests and financial documents by 5 November if their demands are not met.
LockBit is a major international cybercrime group that uses malware to breach global corporations' security protocols and attempts to extort money in exchange.
Its previous targets have included Royal Mail, with the British postal company's international services severely disrupted in January 2023 due to the attack. American aeroplane and missiles manufacturer Boeing is the latest victim of the group, with the company officially confirming the attack yesterday.
> Check your cranks! Shimano finally recalls 11-speed road cranksets after more than 4,500 incidents
The reports of the attack on Shimano emerged after a cyber security group FalconFeeds.io posted a screenshot obtained from the dark web on Thursday evening, showing that the hackers have access to 4.5TB of data belonging to the Japanese manufacturer of cycling components, fishing tackle and rowing equipments.
The allegedly stolen data includes confidential employee details, financial documents, client database and other crucial information such as factory inspection results (violations), reports from production, confidential diagrams/drawings, development materials, laboratory tests, and more.
At the bottom of the screenshot, it says: "All available data will be published!". The deadline set by the hackers is 05 November 18:34 UTC.
When road.cc reached out to Shimano for comment, a spokesperson for the company said: “This is an internal matter at Shimano, and we cannot comment on anything at this time.”
The screenshot, however, is consistent with other victim organisations targeted on the ransom website of the LockBit 3.0 variant.
> Bike industry turmoil: Shimano says global cycling market remains “weak” as segment sales fall by a quarter – and worse to come?
Shimano has recently been under global scrutiny since its recall programme for 760,000 Dura-Ace and Ultegra bonded 11-speed road cranksets in North America.
Last month, a class-action lawsuit was filed against the company for providing "inadequate cranksets" which have put cyclists across the country at risk of injuries. The case alleged that Shimano, along with bike brands Specialized and Trek, were aware "for years" that the bonded components of Shimano Hollowtech II cranksets could break, yet waited until 21 September 2023 to announce a voluntary recall of the cranksets, produced between 2012 and 2019, citing a "possible bonding separation issue" in North America.
In the UK, and since our most recent investigation and news coverage on this issue was published, the Office for Product Safety and Standards (OPSS) published a product safety report that concluded the affected Shimano cranksets "do not meet the requirements of the General Product Safety Regulations 2005."
road.cc has also been hearing stories of cyclists whose Shimano Hollowtech cranksets were snapping underneath them for many years now, and had collaborated with Dr Mark Bingley, the Principal Lecturer and Programme Leader for Mechanical Engineering at the University of Greenwich, for further investigation and to better understand the issue.
> Investigating Shimano’s snapping cranksets: What happened, unanswered questions and an engineer's report
More recently, Shimano had commented about the continuing "weak" outlook of the global cycling market, as the company revealed that sales of bicycle components fell by a quarter during the opening nine months of the year. Figures also revealed that sales of bicycle components in the key European market are hardest hit, and are forecast to drop by half in the second half of 2023.
The LockBit group are meanwhile claimed to be based in the Netherlands, however there is speculation that it could've originated in eastern Europe or Russia. Three Russian nationals have previously been charged by the US Department of Justice (DOJ) for alleged participation in LockBit’s operations, with the DOJ describing the group as the creator of “one of the most active and destructive ransomware variants in the world."
Add new comment
14 comments
Maybe the crims own some of Shimano's disintegrating cranks.
If Shimano are infected with a ransomware malware thingy, does that mean you shouldn't use any of their electronic shifting tech "just in case"...?
You can't hack good old gear cables!
I changed up a gear and it changed the channel on my telly!
Shimano reveals sales of components fallen by a 1/4... So is that across the global market for all manufacturers, or is this the impact on Shimano alone as people rush to buy other chainsets or are just put off by the catastrophic customer relations response to the crankset issue?
Kinda Sucks to be Shimano this week.
Selfishly kinda hoping the source code for DI2 gets released so we can get some intrepid hackers breaking the artificial incompatabilities Shimano introduce every time they bump up the cogs at the back. 12sp DuraAce R9100 anyone?
Surely they're just phishing???
That's the reels department.
Nice...is the money they pay to get the data back, deductible from taxes? If yes...here we are...
What a plague ransomware is becoming. My youngest son's school (!) was a victim at the beginning of this autumn term with impacts including being unable to provide proper school meals for the first two weeks of the term.
What a shame that we've built such fragile systems that a school can't just fall back on however providing meals was done before computers.
The trouble was that the tills were down and they had no way of accepting payment.
So do it on paper until the problem's fixed, enter it into the computer later.
All of the British Library's IT systems have been down all week for the same reason:
https://www.theguardian.com/books/2023/oct/31/british-library-suffering-...