Cyber Incident Victim: CD Projekt

On February 9, 2021, CD Projekt Red publicly disclosed via Twitter that it had suffered a cyberattack and received a ransom demand. The company stated it would not negotiate with or pay the threat actor, despite acknowledging this refusal could result in the release of compromised data. Initial investigations indicated the breached systems did not contain personal data belonging to players or users of their services. The attackers claimed possession of source code for several games, including Cyberpunk 2077, The Witcher 3: Wild Hunt, and an unreleased version of The Witcher 3, alongside internal documents spanning HR, accounting, and administrative functions. Notably, the ransom note referenced the likelihood that CD Projekt Red could restore affected systems from backups, suggesting prior awareness of the company’s resilience measures. The announcement emphasized transparency with stakeholders while forensic work continued to assess the full scope.

The incident posed operational and reputational risks due to the potential exposure of proprietary game code and sensitive corporate documents. CD Projekt Red confirmed no evidence of player/user data compromise but warned that stolen internal information might be leaked publicly following their refusal to pay. The company engaged law enforcement and IT security specialists to investigate the breach’s origins and contain further access. Proactive steps included securing and rebuilding compromised infrastructure while reinforcing network defenses. This response aligned with their decision to prioritize system integrity over ransom negotiations, accepting the possibility of data dissemination as a calculated consequence. The breach highlighted vulnerabilities in safeguarding high-value intellectual property, though the firm’s immediate transparency contrasted with typical corporate breach disclosures.