Virtual Round Table · Jul 22

View the event
BlackField Demands 2 Million Dollars From Nidec, and a Taiwanese Subsidiary Becomes the Way In
Cybersecurity

BlackField Demands 2 Million Dollars From Nidec, and a Taiwanese Subsidiary Becomes the Way In

A previously unknown gang says it stole 2 terabytes from Nidec Chaun Choung Technology and is pricing the data by the day. Nidec says its main network is untouched.

PublishedJuly 14, 2026
Read time5 min read
Share

A New Gang and a Two Terabyte Claim

A previously unknown ransomware crew calling itself BlackField has put Japanese motor and industrial manufacturer Nidec on notice, claiming it breached the company's Taiwanese subsidiary and exfiltrated roughly 2 terabytes of data. The target was Nidec Chaun Choung Technology, and BlackField says the haul includes employee records, financial data, procurement files, manufacturing documents, legal correspondence and IT infrastructure files. The group posted sample files to prove the breach, though independent researchers who reviewed the claim could not verify the authenticity of the data. Nidec confirmed the incident and its impact on the subsidiary's server.

The compromise was confirmed on June 22, 2026, and the appearance of a brand new gang is itself worth noting. New names on leak sites often signal fresh crews, splinters of disbanded operations, or rebrands designed to shed the baggage of a sanctioned identity. Whatever BlackField turns out to be, it has arrived with a substantial claim against a globally significant supplier, and it is running the now standard double extortion play of stealing data first and threatening publication rather than relying purely on encryption to force a payment.

The Subsidiary Firewall, Tested

Nidec's public response leans hard on the idea of network separation. The company said emergency measures, including shutting down the affected server and network, were taken as soon as the attack was discovered. It stressed that the Taiwanese subsidiary operates an independent network, and that the incident did not affect the systems of Nidec Corporation or other companies in the Nidec Group. In effect the parent is telling customers and investors that a wall held, and that the blast radius stopped at one subsidiary rather than spreading across a sprawling multinational.

We think that architecture deserves credit and scrutiny in equal measure. Segmentation between a subsidiary and the wider group is exactly the control that limits a bad day to one business unit instead of the whole enterprise, and if it worked here it did its job. The uncomfortable flip side is that the same independence often means weaker central oversight. A subsidiary with its own network frequently has its own patch cadence, its own tooling and its own gaps, and those gaps are precisely what an attacker looks for. Isolation contains damage, but it can also hide the neglect that lets the attacker in.

Extortion Priced Like a Product

What stands out about BlackField is the crassly commercial structure of its demand. The gang is asking Nidec for 2 million dollars to delete the stolen information. If the company will not pay that, the group offers a menu: 400,000 dollars for a third party to buy the entire dataset outright, and 5,000 dollars to extend the leak deadline by a single day. It is extortion packaged like a pricing page, with tiers and add ons designed to squeeze money from the victim, from data brokers, and from anyone else with an interest in the material.

That structure tells you how mature this criminal market has become. The per day extension fee is engineered to keep a nervous victim paying small amounts while it deliberates, turning indecision into recurring revenue for the attacker. The discounted bulk sale price undercuts the deletion demand and signals that the data has value regardless of whether Nidec pays, which is meant to pressure the company by threatening a sale to competitors or fraudsters. For a manufacturer sitting on procurement, manufacturing and legal files, the prospect of that material reaching rivals is arguably scarier than the encryption itself.

A Repeat Target

This is not Nidec's first encounter with ransomware, and the pattern is instructive. In October 2024 the company disclosed a separate breach of its Vietnam based Nidec Precision division, an incident that exposed more than 50,000 sensitive files and was claimed by both the 8Base and Everest ransomware groups. Two incidents in under two years, both landing on overseas divisions rather than the corporate core, suggest that the edges of the group are where the exposure concentrates. Attackers have learned that the subsidiary is often the softest and least monitored part of a large manufacturer.

For any enterprise built by acquisition or spread across regions, that is the takeaway to carry into the next board meeting. A global brand is only as secure as its least governed unit, and the units furthest from headquarters tend to inherit the least security investment and attention. Consistent minimum standards for patching, monitoring and identity across every subsidiary are not a nice to have. They are the difference between an incident that stays contained to one server and one that repeats every eighteen months on a different continent, each time putting the parent brand on a leak site it does not control.

The Board Level Question

Nidec has not said whether it will pay, and the honest answer to whether it should is that payment solves very little. Even if the company pays the 2 million dollars, it is trusting a brand new criminal group to delete data it has already copied, and BlackField's own pricing shows the data can be sold to others regardless. The leverage the gang holds comes from the sensitivity of what it took, which means the real decision was made long before the ransom note, in how well that subsidiary protected its files in the first place.

The strategic question for executives is therefore not how to negotiate but how to make the next subsidiary breach a non event. That means knowing exactly what sensitive data each unit holds, minimizing and encrypting it, and ensuring segmentation is paired with central visibility rather than serving as an excuse for neglect. Nidec's wall appears to have contained this incident, and that is a genuine win. The work now is to make sure the next attacker who probes an overseas division finds a patched server and a monitored network instead of an open door and two terabytes waiting to be taken.

Tagged#news#security#ransomware#breach#cybersecurity