Four months ago, CD Projekt Red was the victim of a ransomware attack that resulted in an unspecified amount of data being nabbed by HelloKitty. The source code for Cyberpunk 2077 was one of the things lifted by the ransom group. CDPR wasn’t too concerned at the time, but everyone with a pulse felt it was only a matter of time until the other shoe dropped.
Well, it turns out that the ransomware attack was a bit more serious than CD Projekt Red led us to believe. ArsTechnica pointed us towards a statement released by the company:
This message is a follow-up on the February security breach which targeted the CD PROJEKT Group. Today, we have learned new information regarding the breach, and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet.
We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.
Currently, we are working together with an extensive network of appropriate services, experts, and law enforcement agencies, including the General Police Headquarters of Poland. We have also contacted Interpol and Europol. The information we shared in February with the President of the Personal Data Protection Office (PUODO) has also been updated.
That’s not assuring. This looks only to have affected those in and around CDPR and not the overall customer base. However, it could drastically affect employees and contractors. The company isn’t being totally transparent at this point. Was payroll info stolen? Private messages? Private details about employees?
What a terrible one-two blow to CDPR. First Cyberpunk 2077 hits the market to massive backlash and near-universal refunds; now, untold amounts of data were leaked then circulated.