Geigner's Effect: CDPR Breach Worse Than Originally Reported, Because Of Course

from the this-is-the-way,-unfortunately dept

There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect. If that sort of name-slapping is good enough for former US Presidents, it's damned well good enough for me.

Anyway, an example of this is Ninteno's 2020 breach, where user data for the Nintendo Network was stolen, with the number of reported accounts effected magically doubling from 140k to 300k after a few months. It's also happened with Equifax, TJX, and even our own federal government. Perhaps most infamously, it also occurred when Yahoo acknowledged there was an email breach of a few hundred thousand accounts in 2013 that grew and grew over subsequent reports until, eventually in 2017, Yahoo acknowledged that literally every account had been affected.

In February, game studio CD Projekt Red acknowledged a breach of their corporate network. That breach was mostly for corporate assets, including source code for several games along with data from CDPR's "accounting, administration, legal, HR, investor relations, and more". Held for ransom, there was no mention in the ransom note one way or the other if user data was effected. CDPR for its part indicated it would not be giving into any monetary demands by the nefarious actors, but indicated it was working with law enforcement authorities to investigate the incident.

“We will not give into the demands nor negotiate with the actor, being aware that this may eventually lead to the release of compromised data,” the company writes. CD Projekt Red writes that it does not believe the breach contains personal data from players.

“We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate the incident,” the company writes.

And, well, that's been it since February. For the lay observer, this looked like CDPR's systems and data had been restored from backup and that whatever work the authorities had done must have had a good effect, as no more information was released. For all the world, it appeared as though there was no real fallout from any of this.

Until this past Thursday, "coincidentally" the same day that E3 kicked off, when CDPR came out and admitted that the fallout from the breach both very much happened and is still going on.

As the entire gaming world laser-focused on Geoff Keighley’s sartorially questionable sneakers during the Summer Game Fest Kickoff Live! event, Cyberpunk 2077 studio CD Projekt Red released a statement regarding a February cyberattack against the company. Turns out, that data breach could not be contained.

“Today, we have learned new information regarding the breach, and now have reason to believe that internal data obtained during the attack is currently being circulated on the internet. [...] We are not able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games,” CDPR wrote in a tweet published at 2:39 p.m. ET, smack in the middle of today’s hotly anticipated showcase of video gaming advertisements.

This is the gaming industry equivalent of the old axiom: if you have to break news you really want to bury, break it at 5p on a Friday. In this case, CDPR was obviously attempting to limit the exposure of this news by announcing it just as the entire gaming world was focused on the start of E3. Why?

Well, perhaps it has something to do with just how vague CDPR is still being about what it lost in this data breach.

Today’s statement doesn’t say whether or not players of CDPR’s games were affected. Representatives for CDPR did not immediately respond to Kotaku’s request for comment.

That silence is not a good sign. Either CDPR doesn't know if user data was included in the breach, or it does know and doesn't want to say. That would indicate that the answer to the question of whether CDPR's customers' data is out there in the wild is somewhere on a spectrum of "yes" and "maybe".

And if the Geigner Effect holds true, one could expect a follow up post to this one on exactly that topic.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, breach reporting, geigner's effect, under-reporting
Companies: cd projekt red


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Mike Masnick (profile), 14 Jun 2021 @ 5:55pm

    Hey!

    There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect.

    Hey, wait a second...

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 14 Jun 2021 @ 10:26pm

    The axiom is wrong

    The truth shall get you hung!

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 14 Jun 2021 @ 10:28pm

    On the one hand, things like this are inevitable. Companies have to disclose breaches as soon as possible, within 72 hours in cases of companies like CDPR who have to abide by the GDPR, which naturally means the announcements come before a complete investigation is possible for any large company. Nobody's going to come immediately out of the gate with the worst case scenario, so they will hedge their bets, and issue followups after the investigation. Said followup will contain anything that would be considered damaging or embarrassing to admit upfront, as it's clear that more people react to the initial breach notice than they do to the boring postmortem. Sometimes, companies get lucky with this gamble and they can confirm that the original announcement was as bad as it got.

    On the other hand, it is a little concerning that CDPR has somehow managed to confirm that copies of their data are circulating online, but still can't confirm exactly what's contained in those copies. If I had to guess, they're still trying to decide how much they actually need to admit, they just rushed out the main announcement in the hopes that it would be overlooked during E3 coverage.

    reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 15 Jun 2021 @ 12:51am

      Re:

      "Nobody's going to come immediately out of the gate with the worst case scenario, so they will hedge their bets, and issue followups after the investigation."

      Well, what can you do? The very second the word "data breach" is mentioned in relation to investors and customer base every sphincter in legal spontaneously clenches into a pencil-sharpener. Not a single word in excess will be allowed to escape.

      "...it is a little concerning that CDPR has somehow managed to confirm that copies of their data are circulating online, but still can't confirm exactly what's contained in those copies."

      Or, as you imply later on, it's not that they can't. They'd simply very much rather not. Best case is they know damn well what's been lifted and are looking for legal to couch it in as scarce terms as possible. Worst case their processes are bad enough they'll have to reconstruct the database just to see what's in it or what it links to.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 15 Jun 2021 @ 1:50am

        Re: Re:

        "Well, what can you do?"

        Not a lot. The rules are there because too many companies just didn't bother admitting to any breach unless they decided it was too big to hide, hence the 72 hour time limit under GDRP. It's just worth noting that companies will still admit to the bare minimum, meaning that any serious breach will be underreported initially. That's not an "effect" worth naming, it's just predictable ass-covering, the same as with any problem that customers and investors are privy to.

        "Or, as you imply later on, it's not that they can't. They'd simply very much rather not"

        Yes, but at some point the excuses start to sound silly. No doubt, this is damage control where they admit to there being a wider breach than initially claimed, while they scramble around to find a way to minimise what they finally confirm. It's just not convincing when they try to admit to both knowing the scope of the breach and not knowing the data involved.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 15 Jun 2021 @ 8:50am

          Re: Re: Re:

          That suggests that the disclosure requirements are not strict enough, if companies are allowed to make stuff up to cover their ass.

          Especially as mainstream media rarely seems ready to do much more than parrot press releases, even when they're this unconvincing.

          reply to this | link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 17 Jun 2021 @ 1:16am

          Re: Re: Re:

          "but at some point the excuses start to sound silly."

          ...or they launch a massive lawsuit at whatever unlucky person discovered the flaw or weakness in the hope to deflect as much blame as possible <cough> Sony <cough>.

          reply to this | link to this | view in chronology ]

      • identicon
        Max, 15 Jun 2021 @ 7:42am

        Re: Re:

        "Or, as you imply later on, it's not that they can't. They'd simply very much rather not."

        Could be. But to be fair, it's also possible that a) they couldn't tell for sure what was accessed and b) the data dump was spotted for sale on some underground black market, but they would have to actually buy it to tell what exactly is in it, which they quite understandably might not be inclined to do.

        reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 14 Jun 2021 @ 10:58pm

    "...the breach is always, always, always underreported..."

    And here I thought it was simply, always underreported. Silly me. :)

    reply to this | link to this | view in chronology ]

  • icon
    Scary Devil Monastery (profile), 15 Jun 2021 @ 12:46am

    It is a bit concerning

    You forgot to mention, among the major whoppers of data breaches, the Sony PS3 hack which stands out as being the textbook example of poor security choice where the "hack" in question was mainly that a user assuming control over their at-home hardware automatically provided developer access to the Sony network.

    It reminds me of a brief discussion I had with PaulIT on these boards recently about the shoddy state of "adequate" security in corporations. Game companies especially appear to have become the low-hanging fruit for crackers looking for soft targets.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    jerry_1245 (profile), 16 Jun 2021 @ 1:50am

    my first playthrough of Cyberpunk 2077, and I can already drops, the constant immersion-breaking T-Poses, but because it was marketed as a game-changer in video games. Of course, CDPR's higher-ups weren't blind to the fact that their revenue Learning to embrace the Fan vs Critic divide.

    https://www.mygiftcardsite.bid/

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Sponsored Promotion
Public Money, Public Code - Sign The Open Letter at publiccode.eu
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.