Polish gaming company reported security incident to multiple law enforcement agencies
Video game developer CD Projekt Red has offered an update on its investigation into a cyber-attack that resulted in internal data and source code being leaked.
The company, which develops popular games including Cyberpunk 2077 and The Witcher series, was hit by the security breach in February.
In a statement released last night (June 10), CD Projekt Red said it believes that internal data stolen during the attack has been shared online.
It reads: “Today, we have learned new information regarding the breach, and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the internet.
“We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games.
“Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.”
Stolen source code
In a ransom note left at the time, attackers claimed they had pilfered the full source code for popular video games including Cyberpunk 2077, Witcher 3, and Gwent.
They also said they had documents relating to CD Projekt Red’s accounting, administration, and legal operations.
CD Projekt Red, which is based in Poland, said it has informed relevant law enforcement agencies, including its domestic police headquarters, Interpol, Europol, and Poland’s data privacy regulator.
It also said that it was strengthened its security posture in the wake of the incident by taking various measures including “redesigning” its core IT infrastructure, limiting the number of privileged accounts, and access rights to accounts, and expanding its internal security department.
The company added: “We would also like to state that – regardless of the authenticity of the data being circulated – we will do everything in our power to protect the privacy of our employees, as well as all other involved parties.
“We are committed and prepared to take action against parties sharing the data in question.”