Geigner's Effect: CDPR Breach Worse Than Originally Reported, Because Of Course

from the this-is-the-way,-unfortunately dept

There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect. If that sort of name-slapping is good enough for former US Presidents, it's damned well good enough for me.

Anyway, an example of this is Ninteno's 2020 breach, where user data for the Nintendo Network was stolen, with the number of reported accounts effected magically doubling from 140k to 300k after a few months. It's also happened with Equifax, TJX, and even our own federal government. Perhaps most infamously, it also occurred when Yahoo acknowledged there was an email breach of a few hundred thousand accounts in 2013 that grew and grew over subsequent reports until, eventually in 2017, Yahoo acknowledged that literally every account had been affected.

In February, game studio CD Projekt Red acknowledged a breach of their corporate network. That breach was mostly for corporate assets, including source code for several games along with data from CDPR's "accounting, administration, legal, HR, investor relations, and more". Held for ransom, there was no mention in the ransom note one way or the other if user data was effected. CDPR for its part indicated it would not be giving into any monetary demands by the nefarious actors, but indicated it was working with law enforcement authorities to investigate the incident.

“We will not give into the demands nor negotiate with the actor, being aware that this may eventually lead to the release of compromised data,” the company writes. CD Projekt Red writes that it does not believe the breach contains personal data from players.

“We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate the incident,” the company writes.

And, well, that's been it since February. For the lay observer, this looked like CDPR's systems and data had been restored from backup and that whatever work the authorities had done must have had a good effect, as no more information was released. For all the world, it appeared as though there was no real fallout from any of this.

Until this past Thursday, "coincidentally" the same day that E3 kicked off, when CDPR came out and admitted that the fallout from the breach both very much happened and is still going on.

As the entire gaming world laser-focused on Geoff Keighley’s sartorially questionable sneakers during the Summer Game Fest Kickoff Live! event, Cyberpunk 2077 studio CD Projekt Red released a statement regarding a February cyberattack against the company. Turns out, that data breach could not be contained.

“Today, we have learned new information regarding the breach, and now have reason to believe that internal data obtained during the attack is currently being circulated on the internet. [...] We are not able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games,” CDPR wrote in a tweet published at 2:39 p.m. ET, smack in the middle of today’s hotly anticipated showcase of video gaming advertisements.

This is the gaming industry equivalent of the old axiom: if you have to break news you really want to bury, break it at 5p on a Friday. In this case, CDPR was obviously attempting to limit the exposure of this news by announcing it just as the entire gaming world was focused on the start of E3. Why?

Well, perhaps it has something to do with just how vague CDPR is still being about what it lost in this data breach.

Today’s statement doesn’t say whether or not players of CDPR’s games were affected. Representatives for CDPR did not immediately respond to Kotaku’s request for comment.

That silence is not a good sign. Either CDPR doesn't know if user data was included in the breach, or it does know and doesn't want to say. That would indicate that the answer to the question of whether CDPR's customers' data is out there in the wild is somewhere on a spectrum of "yes" and "maybe".

And if the Geigner Effect holds true, one could expect a follow up post to this one on exactly that topic.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, breach reporting, geigner's effect, under-reporting
Companies: cd projekt red


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    PaulT (profile), 14 Jun 2021 @ 10:28pm

    On the one hand, things like this are inevitable. Companies have to disclose breaches as soon as possible, within 72 hours in cases of companies like CDPR who have to abide by the GDPR, which naturally means the announcements come before a complete investigation is possible for any large company. Nobody's going to come immediately out of the gate with the worst case scenario, so they will hedge their bets, and issue followups after the investigation. Said followup will contain anything that would be considered damaging or embarrassing to admit upfront, as it's clear that more people react to the initial breach notice than they do to the boring postmortem. Sometimes, companies get lucky with this gamble and they can confirm that the original announcement was as bad as it got.

    On the other hand, it is a little concerning that CDPR has somehow managed to confirm that copies of their data are circulating online, but still can't confirm exactly what's contained in those copies. If I had to guess, they're still trying to decide how much they actually need to admit, they just rushed out the main announcement in the hopes that it would be overlooked during E3 coverage.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.