CD Projekt, the Polish studio behind ‘The Witcher 3’ and ‘Cyberpunk 2077’, did not start the year off on the right foot. In early February they confirmed that they had been the victims of a ransomware attack and that the attackers had accessed certain information, including source code for some games. Later, it emerged that the information was put up for sale in an online auction that was closed because someone made a “satisfactory offer”.
It seemed that the subject was close to being closed, but nothing could be further from the truth. And it is that CD Projekt Red has published a statement on its website in which they assure that they have received new information and that now “we have reason to believe that the internal data obtained illegally during the attack are circulating on the internet“.
Not only does there seem to be data from the games
From the company they affirm not being sure of the exact content, but believe that it may “include details of current or former employees and contractors, as well as data related to our games.” Nor can they confirm that the data was not tampered with or tampered with after the attack. What’s more, to this day, it is not known who paid for the filtering of the files.
On the other hand, from the Polish study they claim to be working with, among other organizations, the General Headquarters of the Police of Poland. CDPR has also contacted Interpol and Europol and claims to have taken multiple security measures, such as new firewalls or expanded security equipment, to prevent such attacks in the future. Finally, they conclude that:
[…] Regardless of the authenticity of the data circulating, we will do everything in our power to protect the privacy of our employees, as well as all other parties involved. We are committed and prepared to take action against the parties that share the data in question. “
The attack on CDPR occurred last February. Through a ransomware, attackers encrypted certain devices, but the backups remained intact. However, the attack has had consequences at the player level, since it forced the company to delay patch 1.2 of ‘Cyberpunk 2077’ until March, when it was originally scheduled for February.
At the moment, all we can do is wait to see the extent of the leak and what the data holders will do with it. CD Projetk explained shortly after the attack that between encrypted files there were employment contracts, copies of identity documents, employee questionnaires, payroll information, and even data included in requests for private health care.
At the time CDPR said that “after our investigation, we have not found any evidence that any personal data was actually transferred outside of the company network”, although “due to the attackers’ course of action, we may never be able to say for sure if they actually copied any personal data“.
More information | CD Projekt