CD PROJEKT RED tweeted early this morning that the studio was the victim of a cyber attack that compromised internal systems and stole source codes for Cyberpunk 2077 and the Witcher 3 among other important internal information.
CDPR said the unidentified actor in the attack gained unauthorized access and left the ransom note, which the company said it will not “give in to the demands nor negotiate with the actor, being aware that this may lead to the release of the compromised data.”
The note reads: “Hello CD Projekt [sic] Your have been EPICALLY pwned!! We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3!!! We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more! Also, we have encrypted all of your servers, but we understand that you can most like recover from backups. If we will not come to an agreement then your source codes will be sold or leaked online and your documents will be sent to our contacts in gaming journalism. Your public image will go down the shitter even more and people will see how you shitty your company functions [sic]. Investors will lose trust in your company and the stock will dive even love! You have 48 hours to contact us.”
The company said it has backups from the encrypted servers and is “taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to such a breach.”
It’s not clear exactly when the breach took place, so it’s difficult to say when the 48 hours will be up. The statement was made by CDPR on Twitter at 1:54 AM CST.
“We are still investigating the incident, however at this time we can confirm that — to the best of our knowledge — the compromised systems did not contain any personal data of our players or users of our services,” the statement by CDPR said. “We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate this incident.”
The internet has been rife with contentious feelings towards CDPR since the launch of Cyberpunk 2077 back in early December. Two class action lawsuits have been filed against the company since, the second of which was announced a few weeks ago.
The implications of the breach are unknown at this time, but this cyber attack will undoubtedly affect nearly all employees of the company in some capacity in addition to countless video game industry partners. Fingers crossed they are correct about personal player data being unaffected as well, that would push this already delicate situation into a tailspin.
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021