This message is a follow-up on the February security breach which targeted the CD PROJEKT Group. Today, we have learned new information regarding the breach, and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet.
We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.
Currently, we are working together with an extensive network of appropriate services, experts, and law enforcement agencies, including the General Police Headquarters of Poland. We have also contacted Interpol and Europol. The information we shared in February with the President of the Personal Data Protection Office (PUODO) has also been updated.
Since the breach, we have taken multiple measures to secure and harden our internal systems to protect against breaches like this in the future. These measures include the following:
- our core IT infrastructure has been redesigned and rolled out;
- new next-generation firewalls with advanced anti-malware protection have been implemented;
- a new remote-access solution has been employed;
- the number of privileged accounts, and access rights to accounts, has been limited;
- a new mechanism for the protection of endpoints, servers, and networks has been installed;
- our event-monitoring mechanisms have been improved;
- we have expanded our internal security department;
- we have established cooperation with multiple external cybersecurity & IT specialists.
We would also like to state that — regardless of the authenticity of the data being circulated — we will do everything in our power to protect the privacy of our employees, as well as all other involved parties. We are committed and prepared to take action against parties sharing the data in question.
For more information regarding February incident and actions recommended for former employees or contractors, please visit www.cdprojekt.com/en/media/news/information-regarding-data-security/.