Geigner's Effect: CDPR Breach Worse Than Originally Reported, Because Of Course
from the this-is-the-way,-unfortunately dept
There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect. If that sort of name-slapping is good enough for former US Presidents, it's damned well good enough for me.
Anyway, an example of this is Ninteno's 2020 breach, where user data for the Nintendo Network was stolen, with the number of reported accounts effected magically doubling from 140k to 300k after a few months. It's also happened with Equifax, TJX, and even our own federal government. Perhaps most infamously, it also occurred when Yahoo acknowledged there was an email breach of a few hundred thousand accounts in 2013 that grew and grew over subsequent reports until, eventually in 2017, Yahoo acknowledged that literally every account had been affected.
In February, game studio CD Projekt Red acknowledged a breach of their corporate network. That breach was mostly for corporate assets, including source code for several games along with data from CDPR's "accounting, administration, legal, HR, investor relations, and more". Held for ransom, there was no mention in the ransom note one way or the other if user data was effected. CDPR for its part indicated it would not be giving into any monetary demands by the nefarious actors, but indicated it was working with law enforcement authorities to investigate the incident.
“We will not give into the demands nor negotiate with the actor, being aware that this may eventually lead to the release of compromised data,” the company writes. CD Projekt Red writes that it does not believe the breach contains personal data from players.
“We have already approached the relevant authorities, including law enforcement and the President of the Personal Data Protection Office, as well as IT forensic specialists, and we will closely cooperate with them in order to fully investigate the incident,” the company writes.
And, well, that's been it since February. For the lay observer, this looked like CDPR's systems and data had been restored from backup and that whatever work the authorities had done must have had a good effect, as no more information was released. For all the world, it appeared as though there was no real fallout from any of this.
Until this past Thursday, "coincidentally" the same day that E3 kicked off, when CDPR came out and admitted that the fallout from the breach both very much happened and is still going on.
As the entire gaming world laser-focused on Geoff Keighley’s sartorially questionable sneakers during the Summer Game Fest Kickoff Live! event, Cyberpunk 2077 studio CD Projekt Red released a statement regarding a February cyberattack against the company. Turns out, that data breach could not be contained.
“Today, we have learned new information regarding the breach, and now have reason to believe that internal data obtained during the attack is currently being circulated on the internet. [...] We are not able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games,” CDPR wrote in a tweet published at 2:39 p.m. ET, smack in the middle of today’s hotly anticipated showcase of video gaming advertisements.
This is the gaming industry equivalent of the old axiom: if you have to break news you really want to bury, break it at 5p on a Friday. In this case, CDPR was obviously attempting to limit the exposure of this news by announcing it just as the entire gaming world was focused on the start of E3. Why?
Well, perhaps it has something to do with just how vague CDPR is still being about what it lost in this data breach.
Today’s statement doesn’t say whether or not players of CDPR’s games were affected. Representatives for CDPR did not immediately respond to Kotaku’s request for comment.
That silence is not a good sign. Either CDPR doesn't know if user data was included in the breach, or it does know and doesn't want to say. That would indicate that the answer to the question of whether CDPR's customers' data is out there in the wild is somewhere on a spectrum of "yes" and "maybe".
And if the Geigner Effect holds true, one could expect a follow up post to this one on exactly that topic.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, breach reporting, geigner's effect, under-reporting
Companies: cd projekt red
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hey!
There has been a theorem proposed on these pages, originally by Mike himself, for a long time that goes something like this: when a data breach is first reported in the news, the severity of the breach is always, always, always underreported and there will eventually be an admission that the breach was much worse. Despite this not having been my original idea, I nonetheless slapped my name on it and called it The Geigner Effect.
Hey, wait a second...
[ link to this | view in chronology ]
Re: Hey!
Oh, let it rest, Mike. You already have your name tag on The Streisand Effect and Masnick's Impossibility Theorem, don't you? Leave some crumbs for Tim. 😁
[ link to this | view in chronology ]
Re: Re: Hey!
You may need to double-check who has their name on the Streisand Effect :)
Regarding the Geigner's Effect itself: Mike, you'd be in a good company: https://en.wikipedia.org/wiki/Stigler%27s_law_of_eponymy ¯\_(ツ)_/¯
[ link to this | view in chronology ]
Re: Re: Re: Hey!
"You may need to double-check who has their name on the Streisand Effect :)"
Name tag, name tag. Mike, insofar as I know, coined the term "Streisand Effect" from the start. Or at least that's what the wiki says. :)
[ link to this | view in chronology ]
Re: Re: Hey!
Well it was a friendly Geigner counter argument.
[ link to this | view in chronology ]
Re: Re: Re: Hey!
A very active debate. To glowing acclaim.
[ link to this | view in chronology ]
Re: Hey!
If Tim's not careful about this, he may run afoul of the "Streisand Effect". ;)
[ link to this | view in chronology ]
Re: Hey!
"In mathematics, theorems are named after the second person to discover them, for the first is always Euler."
Mike is the Leonhard Euler of the digital age confirmed.
[ link to this | view in chronology ]
The axiom is wrong
The truth shall get you hung!
[ link to this | view in chronology ]
Re: The axiom is wrong
And they was right! /Sherriff Bart
[ link to this | view in chronology ]
Re: The axiom is wrong
Really? I gotta get me some of that
[ link to this | view in chronology ]
On the one hand, things like this are inevitable. Companies have to disclose breaches as soon as possible, within 72 hours in cases of companies like CDPR who have to abide by the GDPR, which naturally means the announcements come before a complete investigation is possible for any large company. Nobody's going to come immediately out of the gate with the worst case scenario, so they will hedge their bets, and issue followups after the investigation. Said followup will contain anything that would be considered damaging or embarrassing to admit upfront, as it's clear that more people react to the initial breach notice than they do to the boring postmortem. Sometimes, companies get lucky with this gamble and they can confirm that the original announcement was as bad as it got.
On the other hand, it is a little concerning that CDPR has somehow managed to confirm that copies of their data are circulating online, but still can't confirm exactly what's contained in those copies. If I had to guess, they're still trying to decide how much they actually need to admit, they just rushed out the main announcement in the hopes that it would be overlooked during E3 coverage.
[ link to this | view in chronology ]
Re:
"Nobody's going to come immediately out of the gate with the worst case scenario, so they will hedge their bets, and issue followups after the investigation."
Well, what can you do? The very second the word "data breach" is mentioned in relation to investors and customer base every sphincter in legal spontaneously clenches into a pencil-sharpener. Not a single word in excess will be allowed to escape.
"...it is a little concerning that CDPR has somehow managed to confirm that copies of their data are circulating online, but still can't confirm exactly what's contained in those copies."
Or, as you imply later on, it's not that they can't. They'd simply very much rather not. Best case is they know damn well what's been lifted and are looking for legal to couch it in as scarce terms as possible. Worst case their processes are bad enough they'll have to reconstruct the database just to see what's in it or what it links to.
[ link to this | view in chronology ]
Re: Re:
"Well, what can you do?"
Not a lot. The rules are there because too many companies just didn't bother admitting to any breach unless they decided it was too big to hide, hence the 72 hour time limit under GDRP. It's just worth noting that companies will still admit to the bare minimum, meaning that any serious breach will be underreported initially. That's not an "effect" worth naming, it's just predictable ass-covering, the same as with any problem that customers and investors are privy to.
"Or, as you imply later on, it's not that they can't. They'd simply very much rather not"
Yes, but at some point the excuses start to sound silly. No doubt, this is damage control where they admit to there being a wider breach than initially claimed, while they scramble around to find a way to minimise what they finally confirm. It's just not convincing when they try to admit to both knowing the scope of the breach and not knowing the data involved.
[ link to this | view in chronology ]
Re: Re: Re:
That suggests that the disclosure requirements are not strict enough, if companies are allowed to make stuff up to cover their ass.
Especially as mainstream media rarely seems ready to do much more than parrot press releases, even when they're this unconvincing.
[ link to this | view in chronology ]
Re: Re: Re:
"but at some point the excuses start to sound silly."
...or they launch a massive lawsuit at whatever unlucky person discovered the flaw or weakness in the hope to deflect as much blame as possible <cough> Sony <cough>.
[ link to this | view in chronology ]
Re: Re:
"Or, as you imply later on, it's not that they can't. They'd simply very much rather not."
Could be. But to be fair, it's also possible that a) they couldn't tell for sure what was accessed and b) the data dump was spotted for sale on some underground black market, but they would have to actually buy it to tell what exactly is in it, which they quite understandably might not be inclined to do.
[ link to this | view in chronology ]
"...the breach is always, always, always underreported..."
And here I thought it was simply, always underreported. Silly me. :)
[ link to this | view in chronology ]
It is a bit concerning
You forgot to mention, among the major whoppers of data breaches, the Sony PS3 hack which stands out as being the textbook example of poor security choice where the "hack" in question was mainly that a user assuming control over their at-home hardware automatically provided developer access to the Sony network.
It reminds me of a brief discussion I had with PaulIT on these boards recently about the shoddy state of "adequate" security in corporations. Game companies especially appear to have become the low-hanging fruit for crackers looking for soft targets.
[ link to this | view in chronology ]
my first playthrough of Cyberpunk 2077, and I can already drops, the constant immersion-breaking T-Poses, but because it was marketed as a game-changer in video games. Of course, CDPR's higher-ups weren't blind to the fact that their revenue Learning to embrace the Fan vs Critic divide.
https://www.mygiftcardsite.bid/
[ link to this | view in chronology ]