The catastrophe of the Insomniac hack goes far beyond leaked games
On December 12, the infamous ransomware group Rhysida announced that they were taking a ton of data from Insomniac Games hostage. If Insomniac Games wanted to prevent the information from being released, it would have to pay. Rhysida wanted 50 bitcoin (about $2 million) for the data – and was willing to take it everyone who wanted it, through an auction on the dark website. When the imposed seven-day deadline passed without a buyer in place, Rhysida posted most of the hacked data online – a massive 1.67 TB containing more than 1.3 million files, according to cybersecurity website CyberDaily.
The data was uploaded in three separate parts, each organized in a data catalog with an interface similar to Microsoft's File Explorer. These files contain a lot of in-development material from Insomniac's upcoming Wolverine game, including design documents, casting information, and level designs. Ongoing gameplay of Marvel's Wolverine began to spread quickly, as did other information about the studio's partnership with Marvel. It is a devastating and unprecedented leak of game information, comparable in scale to last year's Grand Theft Auto 6 infringement. Adam Marrè, head of information security at cybersecurity firm Arctic Wolf and former game developer at Avalanche Software, told Polygon that the Insomniac breach “appears to be one of the most significant breaches in the gaming industry.” Jonathan Weissman, associate professor in the Department of Cybersecurity at the Rochester Institute of Technology, told Polygon that the cyberattack and subsequent leaks are “completely unprecedented.”
But the Insomniac leak involves much, much more than just game assets. In fact, hundreds of employees could be doxxed.
“First, there are files from the upcoming Wolverine game and the company's 12-year release plan,” Weissman told Polygon. “That alone is terrible. However, it goes much deeper than that. We're talking non-disclosure agreements with major companies and studios, internal developer Slack Communications, internal HR documents, scanned employee passports and more.”
Among the sensitive HR documents published by Rhysida are internal investigations and disciplinary reports, employee personal data (such as passport scans) and recorded videos of meetings – even a list of employees and their T-shirt sizes. The breach puts hundreds of workers at risk in an industry already hostile to developers, especially those in marginalized groups. (Player harassment and threats against video game developers are a serious problem in the industry – more than 75% of developers a 2023 Game Developers Conference survey said thiswhere 40% of respondents have experienced this directly.)
Marrè said the extensive nature of the breach – particularly the recording of employee information and communications – is atypical for the video game industry and makes this “a more serious breach of privacy and security.” It can be compared to other large-scale hacks in other sectors where employee data plays a role.
Game developer Rami Ismail told Polygon that the Insomniac leak is indeed disappointing and does have an impact on how a game is perceived. He said that developers always say “people only know what ships,” meaning that “players will judge a game based on how it ships,” and not the process that led to the end result. It is a “questionable and deeply hurtful” practice to leak unfinished game assets, Ismail said, but publishing employee information is “just downright evil.”
“It is horrifying to me that these game developers now have to worry about their personal information becoming public,” Ismail said in an email. “I purposely didn't look at the files, but I assume these files may contain names, addresses, or other sensitive information – in which case developers, a group already at risk of doxxing and hate – now need to figure out how to can protect themselves and their families.”
Rhysida, the group that hacked Insomniac and published the information online, is known to government agencies despite being a relatively new operation. The Office of Information Security at the U.S. Department of Health and Human Services said Rhysida uses phishing attacks to gain remote access, as well as other types of attacks. Also the US Cybersecurity and Infrastructure Security Agency warned about the Rhysida ransomware in November after the organization focused on the healthcare sector And government institutions. CISA declined to comment on the Insomniac hack, instead pointing to its notification in November.
Marrè told Polygon that Sony and Insomniac need to improve their cybersecurity measures. “This could include strengthening network security, implementing more robust authentication processes and conducting regular security audits and penetration testing,” he said. “Employee training in cybersecurity awareness is also critical to mitigating the risks of phishing or social engineering attacks.” He suggested the company could offer a credit monitoring service or an identity theft protection program.
Weissman agreed that employee training is of paramount importance: “The weakest link in any cybersecurity implementation will always be the human,” he said. “It takes a single click on a link or download and opening/executing an attachment to undo it (security measures). It goes without saying that cybersecurity education and training for employees is of the utmost importance.”
For Rhysida, the goal seems to be money: a spokesperson for the group told CyberDaily as much. These types of hacks on video game companies appear to be on the rise, perhaps because of the value of the information they contain. Many players are clamoring for all the information they can get about a highly anticipated game, including leaked information, while personal data remains valuable on the dark web. Rocksteady Studios and Warner Bros. recently experienced a leak – likely due to a closed alpha test – for Suicide Squad: Kill the Justice League. In December the GTA6 trailer was released early after a leak, and of course before that there was the ongoing footage breach (two teens were arrested and charged in the latest hack). Hackers also reportedly gained access to information about The Last of Us Part 2 before it was released by exploiting a vulnerability in The last of us. In 2023, Microsoft and Bethesda also had a breach, but with physical copies of the game Starfield after copies of the unreleased game were stolen from a warehouse.
In a case more similar to the recent Insomniac breach, CD Projekt Red reported that information of current and former employees and contractors was stolen in June 2021. Before that, in 2020, Capcom faced a ransomware attack that leaked game information and hundreds of people's personal information. thousands of people, including customers, shareholders and employees.
Sony Interactive Entertainment did not respond to Polygon's request for comment on how it plans to protect its employees going forward.