CD Projekt employee data exposed by ransomware attack may be online

Cyberpunk studio reveals February breach was worse than originally thought

The CD Projekt Group, which owns Cyberpunk and Witcher developer CD Projekt Red, has warned that sensitive data -- including that of its own employees -- was likely exposed during a security breach earlier this year.

In a statement, the Polish developer said it has discovered new information about the breach, and now has reason to believe that some illegally gathered data is "currently being circulated on the internet."

"We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games," the company said.

"Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach."

The studio said it is working with several security experts and services, as well as law enforcement agencies, including the general police headquarters of Poland. The company has also contacted Interpol and Europol.

CD Projekt also emphasised the security measures it has taken since the attack to protect against future breaches, including a redesigned IT infrastructure, new firewalls and a new remote access process.

"We would also like to state that -- regardless of the authenticity of the data being circulated -- we will do everything in our power to protect the privacy of our employees, as well as other involved parties," the statement concludes. "We are committed and prepared to take action against parties sharing the data in question."

The breach occurred in February, where an "unidentified actor" stole data from the company's internal network, charging CD Projekt a ransom to get it back. Data stolen was said to include the source codes for Cyberpunk 2077, The Witcher 3 (including an unreleased version) and Gwent.

The hacker's note to CD Projekt claimed they had also "dumped all of your documents relating to accounting, administration, legal, HR, investor relations, and more" on the internet.

CD Projekt was given 48 hours to pay the ransom, but refused. A few days later, a cyberintelligence company claimed the stolen source code had been sold.

It later emerged that CD Projekt Red staff had been locked out of the computers for up to two weeks while the studio dealt with the attack, contributing to a delay for the next Cyberpunk 2077 patch.

More stories

Call of Duty QA workers vote to unionize

78% of Raven Software testers vote to form union, ask Activision Blizzard to voluntarily recognize a group of 34 members

By Brendan Sinclair

How do you learn from failures that succeed? | This Week in Business

Lego Star Wars is a complicated build, ex-BioWare developers dispel the notion of BioWare Magic, and we sift through the chatter around Microsoft's Activision Blizzard deal

By Brendan Sinclair

Latest comments

Sign in to contribute

Need an account? Register now.