Skip to main content
If you click on a link and make a purchase we may receive a small commission. Read our editorial policy.

CD Projekt employee data exposed by ransomware attack may be online

Cyberpunk studio reveals February breach was worse than originally thought

The CD Projekt Group, which owns Cyberpunk and Witcher developer CD Projekt Red, has warned that sensitive data -- including that of its own employees -- was likely exposed during a security breach earlier this year.

In a statement, the Polish developer said it has discovered new information about the breach, and now has reason to believe that some illegally gathered data is "currently being circulated on the internet."

"We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games," the company said.

"Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach."

The studio said it is working with several security experts and services, as well as law enforcement agencies, including the general police headquarters of Poland. The company has also contacted Interpol and Europol.

CD Projekt also emphasised the security measures it has taken since the attack to protect against future breaches, including a redesigned IT infrastructure, new firewalls and a new remote access process.

"We would also like to state that -- regardless of the authenticity of the data being circulated -- we will do everything in our power to protect the privacy of our employees, as well as other involved parties," the statement concludes. "We are committed and prepared to take action against parties sharing the data in question."

The breach occurred in February, where an "unidentified actor" stole data from the company's internal network, charging CD Projekt a ransom to get it back. Data stolen was said to include the source codes for Cyberpunk 2077, The Witcher 3 (including an unreleased version) and Gwent.

The hacker's note to CD Projekt claimed they had also "dumped all of your documents relating to accounting, administration, legal, HR, investor relations, and more" on the internet.

CD Projekt was given 48 hours to pay the ransom, but refused. A few days later, a cyberintelligence company claimed the stolen source code had been sold.

It later emerged that CD Projekt Red staff had been locked out of the computers for up to two weeks while the studio dealt with the attack, contributing to a delay for the next Cyberpunk 2077 patch.