On the 12th of June 2021, CD Projekt, a recognized video game developer and publisher released a statement stating that they believe their internal data that was stolen when they were attacked by ransomware in February 2021, had been leaked and was circulating on the internet. The ransomware group that is said to be responsible for the attack is the HelloKitty ransomware group. Although another threat actor group known as PayLoad Bin, (formerly known as Babuk Locker) is said to be the one who are responsible for publishing the stolen data as the HelloKitty ransomware group had claimed they had sold the stolen data in February.
It is believed that the attackers had stolen the data from their network before encrypting the devices in the network with the goal of using the double extortion mechanism where they threatened to leak the stolen data unless CD Projekt paid the ransom.
But the company had stated when they were attacked, they were not going to “give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data.”
Now the data has been released to the public, CD Projekt is now warning any individuals who may be affected by the data leak as CD Projekt had learned that some of the leaked data may include employee and contractor details.
“We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach” told by CD PROJEKT in the security breach update on their website.
“Currently, we are working together with an extensive network of appropriate services, experts, and law enforcement agencies, including the General Police Headquarters of Poland. We have also contacted Interpol and Europol. The information we shared in February with the President of the Personal Data Protection Office (PUODO) has also been updated.”
Multiple measures have been taken by CD RPOJEKT to harden their security measures to be safe against such breaches in the future.
CD PROJEKT mentioned that “regardless of the authenticity of the data being circulated — we will do everything in our power to protect the privacy of our employees, as well as all other involved parties. We are committed and prepared to take action against parties sharing the data in question.”