CD Projekt has released a statement explaining it's been the victim of a "targeted cyber attack," with some of its internal systems compromised.
On Twitter the company explained an unidentified actor had breached its systems and collected data belonging to CD Projekt, and was now threatening to release the contents. CD Projekt said some of its devices had been encrypted by the attack, but that company backups remain intact and it is in the process of restoring its data.
Unusually, CD Projekt also released a copy of the ransom note sent by the unidentified actor. They claim to have gained access to "the source codes from [CD Projekt's] Perforce server for Cyberpunk 2077, Witcher 3, Gwent and the unreleased version of Witcher 3". They also claim to have gained access to "all of [CD Projekt's] documents relating to accounting, administration, legal, HR, investor relations and more," although the exact nature of these isn't detailed. The note demands CD Projekt contact the sender, or face the public release of the source codes and documents.
Important Update pic.twitter.com/PCEuhAJosR— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
CD Projekt has said it will "not give in to the demands nor negotiate with the actor, being aware that this may eventually lead to the release of the compromised data". It is now in the process of contacting parties who may have been affected by the breach, although it believes personal data belonging to players and users has not been compromised. It is currently working with law enforcement, IT specialists and the President of the Personal Data Protection Office to investigate the breach.