from the this-is-the-way,-unfortunately dept
There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect. If that sort of name-slapping is good enough for former US Presidents, it’s damned well good enough for me.
Anyway, an example of this is Ninteno’s 2020 breach, where user data for the Nintendo Network was stolen, with the number of reported accounts effected magically doubling from 140k to 300k after a few months. It’s also happened with Equifax, TJX, and even our own federal government. Perhaps most infamously, it also occurred when Yahoo acknowledged there was an email breach of a few hundred thousand accounts in 2013 that grew and grew over subsequent reports until, eventually in 2017, Yahoo acknowledged that literally every account had been affected.
In February, game studio CD Projekt Red acknowledged a breach of their corporate network. That breach was mostly for corporate assets, including source code for several games along with data from CDPR’s “accounting, administration, legal, HR, investor relations, and more”. Held for ransom, there was no mention in the ransom note one way or the other if user data was effected. CDPR for its part indicated it would not be giving into any monetary demands by the nefarious actors, but indicated it was working with law enforcement authorities to investigate the incident.
“We will not give into the demands nor negotiate with the actor, being aware that this may eventually lead to the release of compromised data,” the company writes. CD Projekt Red writes that it does not believe the breach contains personal data from players.
“We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate the incident,” the company writes.
And, well, that’s been it since February. For the lay observer, this looked like CDPR’s systems and data had been restored from backup and that whatever work the authorities had done must have had a good effect, as no more information was released. For all the world, it appeared as though there was no real fallout from any of this.
Until this past Thursday, “coincidentally” the same day that E3 kicked off, when CDPR came out and admitted that the fallout from the breach both very much happened and is still going on.
As the entire gaming world laser-focused on Geoff Keighley’s sartorially questionable sneakers during the Summer Game Fest Kickoff Live! event, Cyberpunk 2077 studio CD Projekt Red released a statement regarding a February cyberattack against the company. Turns out, that data breach could not be contained.
“Today, we have learned new information regarding the breach, and now have reason to believe that internal data obtained during the attack is currently being circulated on the internet. […] We are not able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games,” CDPR wrote in a tweet published at 2:39 p.m. ET, smack in the middle of today’s hotly anticipated showcase of video gaming advertisements.
This is the gaming industry equivalent of the old axiom: if you have to break news you really want to bury, break it at 5p on a Friday. In this case, CDPR was obviously attempting to limit the exposure of this news by announcing it just as the entire gaming world was focused on the start of E3. Why?
Well, perhaps it has something to do with just how vague CDPR is still being about what it lost in this data breach.
Today’s statement doesn’t say whether or not players of CDPR’s games were affected. Representatives for CDPR did not immediately respond to Kotaku’s request for comment.
That silence is not a good sign. Either CDPR doesn’t know if user data was included in the breach, or it does know and doesn’t want to say. That would indicate that the answer to the question of whether CDPR’s customers’ data is out there in the wild is somewhere on a spectrum of “yes” and “maybe”.
And if the Geigner Effect holds true, one could expect a follow up post to this one on exactly that topic.