CD Projekt Red was hacked in February, resulting in the theft of internal documents and source code for games including Gwent, The Witcher 3: Wild Hunt, and Cyberpunk 2077. The hackers threatened to release the data unless a ransom was paid, which the studio refused to do; shortly thereafter the hackers reportedly began releasing the code, which CD Projekt attempted to keep a lid on by way of DMCA takedown notices.
Despite those efforts, it was reported by databreaches.net (via Eurogamer) earlier this month that the stolen data—ranging from source code to internal "comedy bug reels"—are in the wild, and that passwords to the encrypted files had either been cracked or were being shared voluntarily. Either way, it seemed that anyone who wanted access could get it.
Today, CD Projekt issued a statement confirming that the data is in fact now being circulated online. "We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games," it said. "Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach."
IMPORTANT UPDATERead more: https://t.co/qd6sc5VF3I pic.twitter.com/kKi1GkIaLOJune 10, 2021
CD Projekt is now working with law enforcement agencies including the General Police Headquarters of Poland, Interpol, and Europol, as well as other "appropriate services [and] experts" to resolve the matter. It's also implemented a number of new internal security measures to help prevent breaches like this in the future:
- Our core IT infrastructure has been redesigned and rolled out
- New next-generation firewalls with advanced anti-malware protection have been implemented
- A new remote-access solution has been employed
- The number of privileged accounts, and access rights to accounts, has been limited
- A new mechanism for the protection of endpoints, servers, and networks has been installed
- Our event-monitoring mechanisms have been improved
- We have expanded our internal security department
"We would also like to state that—regardless of the authenticity of the data being circulated—we will do everything in our power to protect the privacy of our employees, as well as all other involved parties," CD Projekt said. "We are committed and prepared to take action against parties sharing the data in question."
It's progress, but it's also surprising (and, honestly, disappointing) that four months after the attack, CD Projekt still can't say exactly what data was stolen, or who might be impacted by it. The timing of today's announcement, which appeared without notice in the midst of Geoff Keighley's Summer Game Fest Kickoff livestream, also raised a few eyebrowsm
Dropping this now during a week-long kickoff of gaming press events?Doesn’t exactly inspire confidence.June 10, 2021
posting this during Keighley's thing is laughable. good christ.June 10, 2021
Wow, the amount of goodwill you already burned, and now you release this in the middle of Summer Gamefest - just wow.June 10, 2021
I've reached out to CD Projekt for more information on what data was taken during the breach, and will update if I receive a reply.