The February ransomware attack on Cyberpunk 2077 developer CD Projekt Red is worse than originally thought, as the hackers behind the attack may have also stolen data on company employees, the Polish company disclosed this week.
“We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games,” the developer said in a statement.
In February, CD Projekt Red originally said no employee data was likely exposed in the attack. “To our ex-employees: As of this moment, we don’t possess evidence that any of your personal data was accessed,” the company said at the time.
But since then, the stolen data has been gradually leaking online. On one forum, a group is selling access to the stolen assets, which allegedly include an earlier build of Cyberpunk 2077, source code to other games including The Witcher 3: Wild Hunt, and internal company reports.
In Thursday’s statement, CD Projekt Red indicated the leaked files are real. “We have learned new information regarding the breach, and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the internet,” the company said.
Still, it’s no surprise employee data was looted in the ransomware attack. That’s because the hackers behind the breach essentially said so in their own ransom note. “We have also dumped all of your documents relating to accounting, administration, legal, HR, investor relations and more!” the attackers wrote at the time.
In response to the leaks, CD Projekt Red said it’s working with European law enforcement. The company is also warning internet users to steer clear of the stolen data or they could face prosecution.
“We would also like to state that—regardless of the authenticity of the data being circulated—we will do everything in our power to protect the privacy of our employees, as well as all other involved parties,” the company said. “We are committed and prepared to take action against parties sharing the data in question.”