Nintendo of America’s refusal to pay a $2 million ransom has left some employees with their W-9 forms and bank statements in public circulation.
Shadowbyt3$, which describes itself as an “extortion-as-a-service” operation active since October 2025, breached TinyPulse, an employee engagement platform owned by WebMD Health Services. The group gave Nintendo of America a 48-hour window to engage and demanded $2 million. When Nintendo didn’t respond, Shadowbyt3$ published what it claims is nearly 1GB of data: full names, email addresses, W-9 tax forms, bank statements, and employee records from 2016 through 2026. The extortion demand implicates 18 U.S.C. § 1030(a)(7), the Computer Fraud and Abuse Act’s extortion provision.
Nintendo confirmed the breach but contested the scope. “The data involved is limited to internal survey content comprising a small subset of our employees,” the company said. Nintendo’s gaming systems and customer accounts were not affected.
That distinction has legal weight. More than 40 states carry breach notification statutes, and the duty to notify affected employees lands on the data operator: WebMD Health Services. TinyPulse holds ISO 27001 and SOC 2 certifications, the standard enterprise security stack, yet a group in operation for fewer than eight months penetrated it. WebMD hadn’t responded to press inquiries by publication time.
The real exposure is contractual: Nintendo’s vendor agreement with WebMD likely contains indemnification clauses triggered the moment a confirmed breach becomes a formal incident report. That clock is already running.
— James Okafor