Four months after a cyberattack on Witcher and Cyberpunk 2077, CD Projekt Red has admitted that employee and game-related data appears to be circulating in the cyber underground, according to Threat Post.
CD Projekt Red was the victim of a ransomware attack earlier this year, carried out by a cybercriminal group believed to be the HelloKitty gang.
The gaming developing company stated at the time that cybercriminals “gained access to our internal network, collected certain data belonging to CD PROJEKT Capital Group and left a ransom note”.
The ransomware also encrypted the computers, but CD Projekt Red was able to restore everything from the backup, so the stolen data was the real problem.
Ransomware groups increasingly rely on double extortion, threatening to auction stolen data if victims do not pay up. Many also run name-and-shame blogs where operators publish hacked data from victims who refused to pay up.
In the ransom note, the cybercriminals claimed they put their hands of complete copies of the source code for Cyberpunk 2077, Gwent, The Witcher 3, and an unreleased version of The Witcher 3. The stolen data also included sensitive corporate information from accounting, administration, HR, investor relations, legal, and other areas.
Cybercriminals threatened the company with leaking or selling the source code
The ransom note said, “Source codes will be sold or leaked online, and your documents will be sent to our contacts in gaming journalism”.
It went on to warn that failure to pay would impact the company’s public image, stock price, and investor confidence. The attackers threaten to reveal how poorly the company was being run.
Four months later, it seems they kept their promise. CD Projekt Red claimed in an update that its security team “now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the internet”.
It also stated that it is in the process of determining which data is being distributed, “though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.”
Regardless of the type of material distributed, the company stated it will do everything in its power to protect the privacy of its employees and all others involved. Moreover, they are committed and prepared to take action against anyone who discloses the disputed information.