CD Projekt Red, creator of The Witcher series, Cyberpunk 2077, and other popular games, said on Friday that proprietary data taken in a ransomware attack leaked four months ago was likely circulating online.
“Today we learned of new information regarding the breach and now have reason to believe that internal data illegally obtained in the attack is currently circulating on the Internet,” company officials said in a statement. “We are not yet able to confirm the exact content of the data in question, although we believe it may include details of current / former employees and contractors in addition to data related to our games.”
The update represents a kind of about-face, as it warns that the information of current and former employees and contractors is now considered part of the compromised data. When the Poland-based game maker disclosed the attack in February, it said it didn’t believe the stolen data included personal information for employees or customers.
A week later, the company maintained that the likelihood of employee personal data being disclosed was “low.” He went on to say that “after our investigation we found no evidence that personal data was actually transferred outside the company network” and that “due to the conduct of the attackers, we may never be able to say for sure whether they have actually copied personal data.
It’s unclear why it took CD Projekt Red four months to determine that employee data was likely affected. Presumably, a forensic investigation could have made this decision before now. Attempts to reach representatives of CD Projekt Red for comment were not immediately successful.
Kittens and auctions
Shortly after CD Projekt Red’s initial disclosure, researchers said they discovered data showing that the source code of the games, including Cyberpunk 2077, Gwen, and The Witcher 3 had been auctioned with a starting bid of $ 1 million.
A separate team of researchers reported that the auction was closed after a buyer outside the auction forum offered a price acceptable to the sellers. The price was never disclosed. However, there is no evidence that a sale actually took place, and some researchers have speculated that when no buyers emerged, the sellers lied to save face.
Researchers say the CD Projekt Red breach was carried out by HelloKitty, a little-known ransomware group some researchers refer to as DeathRansom.
From the start, the game maker has consistently refused to pay or even negotiate with ransomware operators. This position is admirable, although it is much easier to take when victims can quickly rebuild their networks using backups, as Projekt Red was. Even then, there are prices to be paid, as the game creator finds out firsthand.