By Dave Sebastian and Sarah E. Needleman
The company behind "Cyberpunk 2077" said its internal systems were breached in a cyberattack and the purported hacker threatened to release the software code underpinning the blockbuster videogame and other works in progress, a disclosure that sent its stock tumbling and presented a fresh challenge for the embattled developer.
CD Projekt SA on Tuesday said an unidentified hacker accessed its internal network and collected corporate data in what the company described as a targeted attack. The company said it has begun restoring the data and that its backups remain intact, though some network devices remained encrypted. The compromised systems didn't contain personal data of its players or users of its services, the Polish company said.
The hacker left a ransom note in CD Projekt's system, the company said. In the undated note, a copy of which CD Projekt posted on Twitter, the hacker threatened to sell or leak videogame source codes and internal documents if the company didn't come to an agreement with the hacker. The hacker gave the company 48 hours to contact them, according to the note.
"We have dumped FULL copies of the source codes from your Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3!!!" the note said. "We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more!"
CD Projekt shares fell about 5% in Warsaw trading. A CD Projekt representative declined to comment on what means the hacker used to gain access to systems and data. It isn't immediately clear whether the hack actually obtained code for CD Projekt's games.
Security analysts have said ransomware attacks, in which hackers cripple software systems until they receive a bounty, have been on the rise in recent years along with the financial demands. The federal Cybersecurity and Infrastructure Security Agency launched a campaign last month to help raise awareness of the risks that ransomware poses to public- and private-sector organizations.
CD Projekt could suffer significant financial losses should code for any of its unreleased games get out because consumers could then become less interested in buying the official work from the company or a third-party retailer, said Ray Walsh, who works at ProPrivacy.com, a digital-privacy advocacy group in the U.K.
CD Projekt counts only two major franchises in its portfolio and has indicated that it is in the midst of developing new content for both. The company said it has approached authorities including law enforcement and Poland's national data protection office.
"We will not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data," CD Projekt said. "We are taking necessary steps to mitigate the consequences of such a release, in particular by approaching any parties that may be affected due to the breach."
The cyberattack is the latest issue facing the videogame developer whose reputation has been dented by the rocky rollout of its most ambitious project "Cyberpunk 2077."
The company is overhauling the game, which after its release in December experienced glitches that resulted in a deluge of player complaints and prompted the company to offer refunds. Sony Corp. pulled the game in December from its PlayStation Store amid the complaints. CD Projekt executives apologized to players and pledged improvements to the product.
Despite the challenges, "Cyberpunk 2077" was one of the top-selling videogame titles world-wide last year, according to industry analysts. CD Projekt sold 10.2 million digital copies of the game world-wide in its debut month of December, making it the most successful game launch of all time by that metric, according to estimates from Nielsen's SuperData. In the U.S. it was also the second bestselling game of December, and the 19th bestselling game of 2020, as measured by sales of physical copies of the game, according to NPD Group.
Other videogame companies have dealt with hacks of their technology systems or leaks of customer data. Ubisoft Entertainment SA, known for its Assassin's Creed series, suffered one in 2013. At the time the company said one of its websites was hacked, leading to unauthorized access of account usernames, encrypted passwords and email addresses, though no financial information was obtained. Roughly a decade ago, a hacker stole names, birth dates and other sensitive information for tens of millions of people who played games online through Sony's PlayStation console, which at the time was one of the largest online security breaches.
Write to Dave Sebastian at email@example.com and Sarah E. Needleman at firstname.lastname@example.org
(END) Dow Jones Newswires