CD Projekt Red (CDPR), the game studio responsible for Cyberpunk 2077 and The Witcher series, recently released a statement on Twitter saying that the company was a victim of a cyberattack. The studio also released the ransom note that was sent to them by the hacker responsible. The note can be found below.
CD Project Red said it will not negotiate with the attackers and it’s currently working with law enforcement to investigate the attack.
Within that ransom note, the hacker claimed to have gotten ahold of source code for several of the company’s titles, such as Cyberpunk, an “unreleased” version of The Witcher 3, and their virtual card game, Gwent. In addition to the source code, documents pertaining to accounting, legal, and other departments were also robbed from the company’s servers.
The hacker threatened to dump the source codes and the documents if CD Projekt Red doesn’t contact them within 48 hours and if they don’t “come to an agreement”.
Later that same day, CDPR followed up in a new tweet directed at former employees, stating that it does not believe their personal data was obtained but gave no guarantee. The studio was also unsure if the personal data of customers were safe. The parent company, CD Project S.A., owns GOG– a digital gaming platform that holds all subscribers’ private information.
To our ex employees: As of this moment, we don't possess evidence that any of your personal data was accessed. However, we still recommend caution (i.e. enabling fraud alerts). If you have questions, please write to our Privacy Team dpo[at]https://t.co/0UUMoqT5tF
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
Regarding the personal data, CDPR said, “at this time we can confirm that — to our best knowledge — the compromised systems did not contain any personal data of our players, or users of our services.”
The hacker’s note doesn’t explicitly state the reason for hacking the studio but many across the internet are pointing to the messy launch of Cyberpunk 2077. The note alludes to this by mentioning how the studio’s public image will further deteriorate and how the hack will expose CDPR’s bad business practices.
The hackers also claim the company’s stock will fall, more than they already have. Cyberpunk 2077 had a rough launch as the game was riddled with bugs and glitches and gamers were not happy. The PS4 was of such poor quality that Sony decided to remove the game from its PS4 store and gave refunds.
Up for Auction
After the studio announced that it will not comply with the notes’ demands, the hacker leaked the source code onto online hacking forums. The hacker is auctioning the source code for Gwent on the hacking forum, Exploit. The party responsible is looking to get a million dollars for the source code.
A cybersecurity firm, KELA, believing the data’s legitimacy, states:
”The seller offers to use a guarantor and he allows only those who have a deposit to participate — a tactic that is used by many sellers to show that they are serious and to ensure that no scam will occur.”
CD Projekt Red's ransomed data has been leaked online. pic.twitter.com/T4Zzqfn78F
— vx-underground (@vxunderground) February 10, 2021
According to KELA, the starting price at the auction is $1 million with increments of $500,000 or a buy-it-now price of $7 million.
CDPR has not yet commented on this new development and it’s still unknown what the company’s next steps will be. This is just the latest in a series of negative experiences for CDPR.
In addition to this hack, the studio has been hit with two class-action lawsuits by investors in an attempt to “recover damages made by misleading statements”, referring to the subsequent stock drop after the disappointing launch of Cyberpunk 2077.
This is still a developing story and I will be closely following it.
What are your opinions on all this? What do you think CDPR will do next?