CD Projekt: internal company data captured in hack is now shared online

CD Projekt believes that internal company data that was stolen in the February ransomware attack is now being distributed. The company cannot confirm what data is involved or whether this data has been adjusted. It may be employee data and game data.

The publisher writes to have received more information about the attack on Thursday. Based on this information, CD Projekt says it has “reasons to believe” that the internal data is now being shared. It is not clear whether the company has seen the shared data itself. It seems that this is not the case; CD Projekt says it can’t confirm the exact content. The publisher can therefore not confirm that the data is authentic and has not been modified. The company states that it may be data from current and former employees and game data.

CD Projekt says it is working with cyber experts and police forces, including the Polish National Police. Interpol and Europol have also been contacted. The Polish Data Protection Office has also been updated with the new information.

Since the attack, the company says it has taken several steps to prevent another attack. For example, the core IT infrastructure has been redesigned, new firewalls with improved anti-malware protection have been implemented and the number of privileged accounts has been limited.

Last weekend it was announced that the source code of Cyberpunk 2077 and The Witcher 3, among others, may have appeared online. This code is encrypted; the criminals charge $10,000 for the decryption keys. CD Projekt already expected the data to be published in February, when the hack became known.