Hundreds of employees are affected by the data breach
On December 12, the notorious ransomware group Rhysida announced that it was holding a large amount of Insomniac Games data hostage. Insomniac Games would have to pay to keep the information from being released. Rhysida demanded 50 bitcoin (roughly $2 million) for the data, and it was willing to accept it through an auction on its dark website. When the seven-day deadline passed without a buyer, Rhysida posted the majority of the hacked data online, a massive 1.67 TB containing over 1.3 million files, according to cybersecurity website CyberDaily.
The data was uploaded in three parts, each organized in a data catalog with a similar interface to Microsoft’s File Explorer. These files contain a plethora of pre-production materials from Insomniac’s upcoming Wolverine game, such as design documents, casting information, and level designs. In-progress gameplay from Marvel’s Wolverine began to circulate quickly, as did other details about the studio’s collaboration with Marvel.
It’s a devastating and unprecedented leak of game data, on par with last year’s Grand Theft Auto 6 hack. According to Adam Marrè, chief information security officer at Arctic Wolf and former Avalanche Software game developer, the Insomniac breach “appears to be one of the more significant breaches in the gaming industry. “ According to Jonathan Weissman, a principal lecturer in the Department of Cybersecurity at Rochester Institute of Technology, the cyberattack and subsequent leaks are “completely unprecedented.”
However, the Insomniac leak contains far more than just game assets. Hundreds of employees could have been doxxed.
“First, there are files from the upcoming Wolverine game and the company’s 12-year release plan,” Weissman reportedly said. “That, alone, is terrible. However, it’s much deeper than that. We’re talking about non-disclosure agreements with major companies and studios, internal developer Slack communications, internal HR documents, scanned employee passports, and more.”
Internal investigations and disciplinary reports, employees’ personal information (such as passport scans), recorded videos of meetings, and even a list of employees and their T-shirt sizes are among the sensitive HR documents published by Rhysida. The breach jeopardizes the livelihoods of hundreds of employees in an industry that is already hostile to developers, particularly those from marginalized groups. (Harassment and threats from players toward video game developers are a serious problem in the industry, according to a 2023 Game Developers Conference poll, with 40% of respondents having personally experienced it.)
According to Marrè, the scope of the leak, specifically, the inclusion of employee information and communications, is unusual for the video game industry, making this “a more severe violation of privacy and security.” It is comparable to other large-scale hacks in other industries involving employee data.
According to game developer Rami Ismail, the Insomniac leak is indeed disappointing, and it has an effect on how a game is perceived. He claims that developers always say “People only know what ships,” which means that “players will judge a game by how it ships,” rather than the process that led to the end result. Leaking unfinished game assets is a “questionable and deeply hurtful” practice, according to Ismail, but publishing employee information is “just straight-up evil.”
“It is horrifying to me that these game developers now have to worry about their personal information being out there,” Ismail said in an email. “I have intentionally not taken a look at the files, but I would assume these files might contain names, addresses, or other sensitive information — in which case, developers, a group already at risk of doxxing and hatred — now have to figure out how to keep themselves and their families safe.”
Despite being a relatively new operation, Rhysida, the group that hacked Insomniac and published the information online, is known to government agencies. According to the US Department of Health and Human Services’ Office of Information Security, Rhysida operates remotely by using phishing attacks and other types of attacks. In November, the United States Cybersecurity and Infrastructure Security Agency issued a warning about Rhysida ransomware, which had targeted the healthcare industry and government institutions. CISA declined to comment on the Insomniac hack, instead directing readers to its November announcement.
According to Marrè, Sony and Insomniac must improve their cybersecurity measures. “This could include strengthening network security, implementing more robust authentication processes, and conducting regular security audits and penetration testing,” he said. “Employee training on cybersecurity awareness is also vital to mitigate risks from phishing or social engineering attacks.” He proposed that the company provide credit monitoring or an identity theft protection program.