A Timely Hack: The Story of CD Projekt RED’s Fall From Grace
by Adam Pease
They promised to release one of the most innovative games of all time, but ended up disappointing their customers and being forced to negotiate with hackers for their own source code. Poland-based CD Projekt RED (CDPR), the most valuable game development company in Europe, with a market valuation of $8.13 billion last summer found itself the victim of a devastating hack last month, a cyberattack that came at the worst possible time.
This blog examines the story of CDPR’s fall from grace as an object lesson in the relationship between consumer satisfaction and security in the enterprise.
The Video Game Industry and the Risk of Hype
Before turning to the recent cyberattack that has left CDPR scrambling to respond, it is important to outline the lead-up to last month’s events. With the release of its highly-anticipated flagship game, Cyberpunk 2077 late last year, CDPR destroyed its reputation as a pro-consumer video game developer, setting the stage for disastrous consequences when it would eventually be hacked. To understand how this happened, we need to take a look at the standard consumer.
Over the past ten years the video game industry has valorized a shift towards a preorder purchasing model driven by media hype cycles. When AAA games are released by publishers, clips, screenshots, and other promotional materials are released to gaming media outlets like IGN to disseminate hype.
Sometimes publishers even receive government grants to help meet the extraordinary development costs of games. Such was the case with CDPR, which received a $7 million grant from the Polish government, and now faces scrutiny from government investigators following the game’s disastrous release.
Oftentimes, this hype will drive purchasing well before the game has released. Those who don’t follow the industry may be surprised to learn that customers are willing to pay before they see the final product, but this is only a testament to the brand loyalty that certain game developers have been able to build.
CDPR was no exception, its previous successes having raised it from a small, anonymous Polish company into one of the industry’s titans. Gamers trusted CDPR to make a good game, and Cyberpunk 2077 shattered records for preorders in the lead-up to its release.
Cyberpunk 2077 was arguably the most hyped game of all time. Its promise of delivering an open world futuristic simulation that mixed elements from beloved franchises like Grand Theft Auto and the dedication to storytelling that had put CDPR on the map, put it at the top of gaming news. A massive game, in development for 8 years, Cyberpunk 2077 had created massive expectations, as its preorder sales demonstrated.
The Release of Cyberpunk 2077
While detailing all of the reasons that the launch of Cyberpunk 2077 was a disaster is beyond the scope of this blog, it is important to get a bird’s eye view of the game’s failure. The day before its release, Cyberpunk 2077 was met with glowing adoration from major gaming media outlets. They showered praise on the game for its impressive next-gen graphics, enabled by ray-tracing, and for the enticing futuristic city CDPR had simulated.
However, on the actual day of the game’s release, when everyday people, not just games journalists were able to play the game, they reacted differently. The chorus went that CDPR’s game had been falsely advertised.
What had been promised to be a truly groundbreaking video game experience ended up being a familiar ride that was not only riddled with bugs, but nearly unplayable on last-generation consoles. Angry players took to Metacritic to ‘review bomb’ the game, plunging its score into the red. Outrage was pervasive, as what was promised to be 2020’s greatest game turned out to be a massive disappointment.
It seemed the games press was at odds with consumers, and then soon, many of the same outlets began issuing redacted reviews, pointing out, for instance, that the game’s performance on last-generation consoles made it closer to a 4/10 than the original 9/10 they had suggested. In other words, the tides had turned against CDPR, and the games media press that had once fawned over it was now hastening its downfall.
Angry gamers swarmed Twitter accounts of the game and its publisher, demanding refunds, hotfixes, and explanations. Incidentally, this also led to a swath of returns and the unprecedented decision by Sony to remove the game from the Playstation store, where it still cannot be purchased by many users.
It was a disaster in slow motion, as CDPR desperately tried to roll out patches to fix the broken aspects of the game, with gamers and the press responding that the updates were not only insufficient, but creating new problems.
It is not an understatement to say that CDPR’s previously sterling reputation amongst customers has been obliterated. Since the release of the game, the company has been mired in weeks of work on bug fixes that seem to incite more outrage, and is reportedly facing several lawsuits. A hack could not possibly have come at a worse time.
The CDPR Hack: The Power of Ransomware
On February 8th, CDPR announced that it had been the victim of a ransomware attack. Hackers contacted the company and informed them that the source code for multiple games, including Cyberpunk 2077, was now up for sale on a dark web auction site.
The hack of CDPR tells a story about how security vulnerabilities can hamstring enterprises at the worst possible moment. If customer satisfaction is already on the line, a timely hack can be all it takes to permanently damage the reputation of a successful business.
CDPR refused to pay the ransom. In such attacks, the enterprise is often between a rock and a hard place. In this case, refusing the ransom meant that CDPR had to shut down its internal network, making it impossible for employees to utilize their systems. If this had not been bad enough, the situation was compounded by the company’s recent shift to remote work, which left many completely incapable of working.
By quarantining the network, CDPR hoped it could avoid compromising the information of employees. In the process, however, it sacrificed its schedule for fixing and updating Cyberpunk 2077, announcing that their promised updates to the game will have to be delayed until an unforeseen date.
Since then, the dark web auction for the source code has closed, and many expect the files were purchased for more than $7 million. However, it is also possible that hackers closed the auction after they were unable to find a buyer.
Security experts have identified ransomware called HelloKitty as the likely culprit in the hack. The malware works by infiltrating a system, extracting valuable IP, and then contacting the enterprise to extort a payment. Increasingly, companies choose not to pay in these kinds of ransomware extortion gambits.
However, the risks of refusing to pay can be high. If they refuse to cooperate, enterprises may have to shut down their networks as CDPR did, losing valuable time. Worse yet, they may find that their IP has been sold and repurposed by a competitor, or that hackers have scanned the source code to reveal product defects to customers.
Additionally, the CDPR hack reveals the way that security is closely wedded to privacy. The hack not only compromised the valuable IP held in the game source codes, but it also put at risk the personally-identifying information of customers and associates. In our Special Report on security and privacy last year, we described a shift towards new platforms that address security and privacy as an integrated set of concerns, a departure from the siloed anti-virus offerings of the past.
Ultimately, the CDPR hack came at the worst possible time. On the heels of weeks of bad press, and after losing considerable support from its once loyal-legion of fans, CDPR found its technical systems incapacitated by an unforeseen threat. Unable to deliver on its promised fixes, CDPR had to delay its updates once more. It remains to be seen whether the Polish developer can right the ship. However, what this story undeniably illustrates is the classic maxim that an ounce of prevention is worth a pound of cure.
If CDPR had dedicated systems in place to mitigate the threat of ransomware attacks, it may have been able to escape this threat. And if it made use of a privacy platform for managing personal information, it may have not needed to worry about leaking confidential employee and customer data. In general, we cannot predict when attacks will happen.
Enterprises must remain vigilant and seek state-of-the-art security and privacy solutions. It is better to assume there is always an attack around the corner than to find oneself caught off guard amidst other crises. We credit CDPR for being transparent in the wake of this attack, but the case serves as a lesson for enterprises. Consider reaching out to consult with an Aragon analyst about your security needs and the offerings that might benefit your enterprise.