CD Projekt Red says internal data from ransomware breach is being spread online

CD Projekt Red is still grappling with the fallout from the ransomware attack it suffered in February. The Polish studio behind The Witcher has issued an update on the security breach, stating that internal data stolen during the hack is being circulated online. While the developer said it cannot confirm the exact contents of the information, it believes the files may include details on current and former employees and contractors, along with data related to its games.

As part of the breach, hackers made off with the source code for titles including Cyberpunk 2077 and an unreleased version of Witcher 3. The attackers also dumped or threatened to dump documents related to accounting, administration, legal, HR, investor relations and more.

At the time, the studio defiantly said it would not give in to the ransom demands nor negotiate with the actor behind the breach. Just days later, it was revealed that the hackers had run an auction for the stolen data on a hacking forum — with the starting price of $1 million and an option to buy it outright for $7 million — but that was apparently shut down in favor of a private offer.

In its latest statement released on Thursday, CD Projekt Red detailed a number of security measures implemented following the attack. The company said it had redesigned its core IT infrastructure, utilized new firewalls with advanced anti-malware protection, deployed a new remote-access solution and limited the number of privileged accounts. It added that it's working with a network of security and law enforcement agencies, including the Polish police and the national data regulator. The studio revealed it had also contacted Interpol and Europol as part of its efforts to take action against the perpetrators.