Autor: Michal Kandráč; Pavel Amler

Published: 22. 2. 2021

The media has recently reported about a ransomware attack on the Polish developer CD PROJEKT, the company behind the successful game series The Witcher or the brand-new Cyberpunk 2077. After the difficulties associated with the release of Cyberpunk 2077, this is another major controversy in the gaming world relating to CD PROJEKT.

The main points of the case are summarised below, including our practical recommendations regarding cyberattacks.

In recent months, CD PROJEKT has been undergoing every developer’s nightmare. December’s release of the most anticipated game of 2020 – Cyberpunk 2077 – did not go as the developers planned.  Despite record sales, the game contained a large number of bugs and was virtually unplayable on the ‘old’ console generation (PS4 and XboxOne) due to poor optimisation. The initial enthusiasm among gamers was replaced by disappointment, with customers demanding refunds and some online stores even pulling CyberPunk 2077 from sale altogether (such as PlayStation Store).[1] For an ‘AAA’ title, this was an unprecedented controversy.

To make matters worse, CD PROJEKT announced in early February that its servers had been attacked by hackers.[2] Along with this announcement, CD PROJEKT published a message from the hackers, in which the attackers claimed that they (i) had obtained copies of the source code of the games (including Cyberpunk 2077 or The Witcher 3 and CD PROJEKT’s business documents, (ii) had removed the information from the company’s servers before encrypting them, and (ii) demanded a ransom from CD PROJEKT to be paid within 48 hours or else they would sell or provide the information to gaming journalists.

Given that CD PROJEKT refused to negotiate with the hackers, the stolen source code was (allegedly) sold on the dark web for several million US dollars to an anonymous buyer after the expiry of the deadline. The amount was reportedly so high that the hackers agreed not to disclose the information in question.[3] This conclusion, of course, fuels various speculations as to the failure/success of the auction as well as the fact that the anonymous buyer could have been CD PROJEKT itself. However, this is something we will probably never know (unless someone publishes the data concerned).

What does the above imply then? First and foremost, this is another blow to CD PROJEKT’s reputation, which, combined with the failed release of Cyberpunk 2077 and related investor lawsuits, will likely result in another impairment of the company’s value. Among other things, it also turns out that if a ransomware attack is carried out by professionals, the stolen data and hence the valuable intellectual property or trade secrets/know-how, can very quickly end up in the hands of third parties.

The above only underscores the fact that cybersecurity compliance is becoming increasingly important in the context of today’s digital age. In practice, however, effective prevention and response to cyberattacks is a combination of many factors. We can only hope that CD PROJEKT will manage to handle all the unfortunate setbacks and we will be able to enjoy the games themselves rather than the scandals in the future. Losing the studio that allowed us to play as Geralt of Rivia to a ransomware attack would be a shame.

In conclusion and for completeness, we summarise the ten commandments of cybersecurity that everyone should keep in mind in connection with cyberattacks:

1. IT solutions. Get an efficient IT solution to protect your data or check whether your current solutions are sufficient/up-to-date. A good IT solution can often stop hackers, or at least deter or slow them down.
2. Staff. Always have IT experts available who can identify and resolve an ongoing or past cyberattack on your systems in time. You will probably be not able to resolve a cyberattack without good IT team.
3. Training. Train your employees and regularly update them on the latest cyberattack capabilities and cybersecurity policies. The less educated an employee, the greater the risk of a successful cyberattack.
4. Providers. Audit your contracts with your current providers to ensure that they can provide you with the support you need in the event of a cyberattack. The last thing you want to deal with during a cyberattack on your servers is the availability of your hosting provider.
5. Risk Management. Have experts available to consult on the legal and security risks of a particular cyberattack, or on a strategy for the next steps if necessary. A general solution may not always work.
6. Internal rules. Prepare/update documents describing your security policy, including the roles of individual employees and crisis scenarios as to how to deal with certain types of cyberattacks in general. This will save you time determining the appropriate response.
7. Templates. Prepare template forms for reporting a cyberattack to the relevant authorities (such as to the Office for Personal Data Protection) and other bodies (such as filing a criminal information). The templates will allow you to (i) quickly comply with your statutory obligations, (ii) avoid unnecessary administrative fines, and (iii) engage government authorities that can help you with the cyberattack.
8. Backups. Always archive your data securely on separate backup servers on a regular basis. This will allow you to prevent the risk of complete data loss.
9. Recovery plans. Implement a strategy that allows you to recover as quickly as possible after a cyberattack. This will prevent further losses.
10. Prepare for the worst. Be aware that some of your data may indeed be sold or lost in the event of a cyberattack. Therefore, always protect your most valuable/sensitive assets with multiple levels of security.

[1] See for example https://www.playstation.com/en-us/cyberpunk-2077-refunds/

[2] https://twitter.com/CDPROJEKTRED/status/1359048125403590660.

[3] The price for the stolen data started at USD 1 million, the price for immediate purchase was set at USD 7 million. https://www.theverge.com/2021/2/10/22276664/cyberpunk-witcher-hackers-auction-source-code-ransomware-attack