Warsaw, February 17th, 2021
INFORMATION REGARDING DATA SECURITY
Dear former employee or contractor of CD PROJEKT S.A. (the “Company”),
As you may already know from CD PROJEKT RED’s public statement on Twitter or our previous notices, CD PROJEKT S.A. has been recently hit by a targeted cyber attack, discovered on February 8th, 2021.
Even though we have not confirmed a “leak” of your personal data (and we assess that the probability of such a leak is low), our duty under the General Data Protection Regulation (“GDPR”) is to describe to you the potential consequences of the incident, as if the leak actually happened.
Please find below the required information about the incident.
Character of the incident
We investigated the incident and established that:
- some files including personal data of the current and former employees and contractors of the Company (hereinafter “employees”) were encrypted by the malware within the CD PROJEKT company network, making them temporarily unavailable;
- the encrypted files included documents related to the course of your employment in the Company, including:
– employment contracts or other types of agreements (specific task, services, mandate),
– NDAs,
– copies of ID documents (in case where they were required for signing contracts with foreign employees/contractors or due to legal requirements),
– employee questionnaires,
– information regarding payroll, benefits and similar matters, including data included in the applications for private medical care (that might have also included your relatives’ personal data); - the encrypted personal data was successfully retrieved from backups – no data was lost;
- the attackers left a ransom note suggesting that they copied the files including staff personal data, apart from encrypting them, and threatened to leak them to gaming journalists;
- after our investigation, we have not found any evidence that any personal data was actually transferred outside the company network;
- nevertheless, due to the attackers’ course of action, we may never be able to say for certain if they actually copied any personal data.
Initial precautions
We approached this situation with extreme caution from the very beginning. This is why we have:
- notified the Police;
- notified the President of the Personal Data Protection Office;
- started monitoring the web with the help of a specialised service provider for the emergence of personal data from our internal network (we have not confirmed any such case);
- informed the public about the incident on Twitter on February 9th 1;
- addressed our former staff on Twitter on February 9th, sharing our Privacy Team’s email address for sending their questions about the attack2;
- kept an open email communication with everyone concerned about their data safety in relation to the incident;
- sent direct emails to our former staff members (those whose email addresses we had available) with useful data safety tips and cybersecurity recommendations.
Regarding steps related directly to information security, in response to the incident we have:
- cut off remote access to internal network resources and isolated the internal network from the Internet;
- initiated malware scans of staff PCs and launched new tools monitoring staff PCs and network activity for anomalies;
- strengthened the password policy and forced staff to change their passwords to all network services (including those unaffected by the incident);
- engaged external IT security experts to investigate the causes and course of the incident;
- provided staff with additional instructions and warnings regarding personal data protection and cybersecurity.
Potential consequences
Fulfilling our obligation resulting from the GDPR, we inform you that the potential consequences of the incident may include (in broad terms):
- loss of control over your personal data, infringement of your right to privacy, which may e.g. result in damaging your reputation or lead to discrimination;
- limiting the possibility of exercising your rights as a data subject under Art. 15-22 of the GDPR – e.g. to receive a copy of your data or to request its deletion;
- limiting the possibility of exercising your rights such as participation in voting on projects to be funded from participation budgets;
- theft or falsification of identity;
- financial loss, e.g. obtaining by third parties, to your detriment, loans from non-bank financial institutions;
- obtaining by third parties access to your healthcare services and data on your health;
- extortion of insurance or funds from insurance, or other extortion attempts, such as phishing or blackmail;
- conclusion of civil law contracts, e.g. real estate lease, leading to disposing of property to your detriment, as well as concluding service contracts, e.g. cable TV, telephone (including registering prepaid card in your name), Internet, and then ceasing to pay bills and causing negative consequences for you, i.e. debt;
- receiving unwanted correspondence (spam).
Recommended actions
We have prepared a helpful list of safety tips that you could follow to increase the security of your data:
- Subscribe to a service monitoring your credit activity to receive alerts whenever someone files an application for a loan using your name, e.g. BIK Alerts — https://www.bik.pl/klienci-indywidualni/alerty-bik or https://chronpesel.pl. In case of foreign citizens – look for similar services in your country of citizenship.
- Restrict your personal ID or other documents you used in formal contacts with the Company (e.g. your passport) in the bank where you have your account or in another bank, even if you do not have an account there – a list of Polish banks which accept such reports can be found here: https://dokumentyzastrzezone.pl/lista-bankow-zastrzegajacych-dokumenty-od-wszystkich-osob/;
- In case of Polish citizens – obtain a new Polish personal ID by contacting municipal/district office (Urząd Gminy/Dzielnicy), invalidating your current personal ID and applying for a new personal ID. This can be done via the Internet using your Trusted Profile (Profil Zaufany), stationary at the office or via post office if you are abroad. For more information please visit this website (Polish only): https://www.gov.pl/web/gov/zglos-utrate-lub-uszkodzie-swojego-dowodu-osobistego-uniewaznij-dowod.
Please note that if your current personal ID number is different than the one you used in formal contacts with the Company, e.g. if you changed your personal ID after you stopped working for the Company, there is no need to restrict and/or apply for a new ID in accordance with points 2 and 3 above.
- If you suspect that you may have become a victim of a crime against you – promptly report that crime to the police. If the crime is a fraud committed using your personal data, you should also notify the entity that uses that data, e.g. a bank or loan company, a mobile network, etc. Collect and keep evidence of any formal actions you take in that regard for potential litigation.
- If you use your PESEL number or other national identification number as your user ID in any account or service – change it (if the service permits such a change).
- Be especially cautious when:
a) you receive unexpected emails or text messages, especially from unknown senders;
b) answering calls from unknown numbers, especially when they request your data for “verification purposes”, even if the person calling reads back to you some of your actual data. It may be an attempt to obtain further data, other than the compromised information;
c) sharing or using your personal data over the Internet, especially when you follow links found in emails or direct messages. Pay close attention to the contents of the link and look for irregularities.
If you observe any irregularities, do not share any personal details with suspicious recipients and consider reporting this fact to law enforcement authorities.
If you have any further questions about data security practices, contact us at the email address dpo@cdprojektred.com.
1 https://twitter.com/CDPROJEKTRED/status/1359048125403590660
2 https://twitter.com/CDPROJEKTRED/status/1359230980775694341