CD Projekt Red, the maker of The Witcher series, Cyberpunk 2077, and other popular games, said on Friday that proprietary data taken in a ransomware attack disclosed four months ago is likely circulating online.
“Today, we have learned new information regarding the breach and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet,” company officials said in a statement. “We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games.”
The update represents an about-face of sorts, as it warns that the information of current and former employees and contractors is now believed to be among the compromised data. When The Poland-based game maker disclosed the attack in February, it said it didn’t believe the stolen data included personal information for employees or customers.
A week later, the company maintained that the probability of employee personal data being disclosed was “low.” It went on to say that “after our investigation, we have not found any evidence that any personal data was actually transferred outside the company network” and that “due to the attackers’ course of action, we may never be able to say for certain if they actually copied any personal data.”
It’s not clear why it took CD Projekt Red four months to determine that employee data has likely been affected. Presumably, a forensic investigation could have made that determination before now. Attempts to reach CD Projekt Red representatives for comment didn’t immediately succeed.
Kitties and auctions
Shortly after CD Projekt Red’s initial disclosure, researchers said they uncovered data showing that source code for games including Cyberpunk 2077, Gwent, and The Witcher 3 had been put up for auction with a starting bid of $1 million.
A separate team of researchers reported that the auction had been closed after a buyer outside of the auction forum had offered a price that was acceptable to the sellers. The price was never disclosed. There’s no proof a sale actually went through, though, and some researchers have speculated that when no buyer emerged, the sellers lied to save face.
Researchers say that the CD Projekt Red breach was carried out by HelloKitty, a little-known ransomware group that some researchers refer to as DeathRansom.
From the beginning, the game maker has steadfastly refused to pay or even negotiate with the ransomware operators. That stance is admirable, although it’s much easier to take when victims can quickly rebuild their networks using backups, as Projekt Red was. Even then, there are prices to pay, as the game maker is finding out first-hand.