Geigner's Effect: CDPR Breach Worse Than Originally Reported, Because Of Course

from the this-is-the-way,-unfortunately dept

There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect. If that sort of name-slapping is good enough for former US Presidents, it's damned well good enough for me.

Anyway, an example of this is Ninteno's 2020 breach, where user data for the Nintendo Network was stolen, with the number of reported accounts effected magically doubling from 140k to 300k after a few months. It's also happened with Equifax, TJX, and even our own federal government. Perhaps most infamously, it also occurred when Yahoo acknowledged there was an email breach of a few hundred thousand accounts in 2013 that grew and grew over subsequent reports until, eventually in 2017, Yahoo acknowledged that literally every account had been affected.

In February, game studio CD Projekt Red acknowledged a breach of their corporate network. That breach was mostly for corporate assets, including source code for several games along with data from CDPR's "accounting, administration, legal, HR, investor relations, and more". Held for ransom, there was no mention in the ransom note one way or the other if user data was effected. CDPR for its part indicated it would not be giving into any monetary demands by the nefarious actors, but indicated it was working with law enforcement authorities to investigate the incident.

“We will not give into the demands nor negotiate with the actor, being aware that this may eventually lead to the release of compromised data,” the company writes. CD Projekt Red writes that it does not believe the breach contains personal data from players.

“We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate the incident,” the company writes.

And, well, that's been it since February. For the lay observer, this looked like CDPR's systems and data had been restored from backup and that whatever work the authorities had done must have had a good effect, as no more information was released. For all the world, it appeared as though there was no real fallout from any of this.

Until this past Thursday, "coincidentally" the same day that E3 kicked off, when CDPR came out and admitted that the fallout from the breach both very much happened and is still going on.

As the entire gaming world laser-focused on Geoff Keighley’s sartorially questionable sneakers during the Summer Game Fest Kickoff Live! event, Cyberpunk 2077 studio CD Projekt Red released a statement regarding a February cyberattack against the company. Turns out, that data breach could not be contained.

“Today, we have learned new information regarding the breach, and now have reason to believe that internal data obtained during the attack is currently being circulated on the internet. [...] We are not able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games,” CDPR wrote in a tweet published at 2:39 p.m. ET, smack in the middle of today’s hotly anticipated showcase of video gaming advertisements.

This is the gaming industry equivalent of the old axiom: if you have to break news you really want to bury, break it at 5p on a Friday. In this case, CDPR was obviously attempting to limit the exposure of this news by announcing it just as the entire gaming world was focused on the start of E3. Why?

Well, perhaps it has something to do with just how vague CDPR is still being about what it lost in this data breach.

Today’s statement doesn’t say whether or not players of CDPR’s games were affected. Representatives for CDPR did not immediately respond to Kotaku’s request for comment.

That silence is not a good sign. Either CDPR doesn't know if user data was included in the breach, or it does know and doesn't want to say. That would indicate that the answer to the question of whether CDPR's customers' data is out there in the wild is somewhere on a spectrum of "yes" and "maybe".

And if the Geigner Effect holds true, one could expect a follow up post to this one on exactly that topic.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, breach reporting, geigner's effect, under-reporting
Companies: cd projekt red

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Scary Devil Monastery (profile), 17 Jun 2021 @ 1:12am

    Re: Re: Re: Hey!

    "You may need to double-check who has their name on the Streisand Effect :)"

    Name tag, name tag. Mike, insofar as I know, coined the term "Streisand Effect" from the start. Or at least that's what the wiki says. :)

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.