Hackers dump personal data, game files, in calamitous Insomniac Games leak

Members of ransomware hacker group Rhysida have publicly shared thousands of documents acquired in their cyberattack on Sony subsidiary Insomniac Games, exposing employees' personal information just days before the holidays.

Australian cybersecurity news site CyberDaily reviewed the contents of the documents, which also contained legal contracts and details of Insomniac Games' upcoming releases. According to the outlet, the leaked information appears to include I-9 employment contracts, termination documents, photos of passports, and archived Slack channel conversations with communications between employees.

The hackers had previously demanded $2 million from Sony to return the pilfered data.

The exposure of all these documents can come with grave consequences for employees at Insomniac Games. Social security numbers, passport IDs, and personal addresses can all be employed in the acts of stalking, harassment, and identity theft.

A member of Rhysida speaking with CyberDaily indicated that the attack was launched for purely financial reasons, and that Sony's investigation on the attack would be best held "in its own backyard."

It is worth noting that those staging ransomware attacks on high-profile companies would have an interest in misdirecting efforts to uncover the means and motives of their craft.

The exposure of sensitive information on Insomniac Games' upcoming game Marvel's Wolverine and Marvel's Spider-Man 2 is of secondary concern to workers who have now been effectively doxxed, but it comes with its own demoralizing consequences. Developers eager to show the world their work when it was ready now have to watch the information get pored over by overzealous fans.

Developers on social media are already reacting with outrage over the invasive act. Remedy Entertainment posted its own statement in support of Insomniac Games, writing "after all the effort and dedication they have poured into their games, they didn't deserve this. No one does."

"The hackers also leaked employee's personal information, which is truly disgraceful and shameful."

Wushu Studios and That's No Moon—two companies founded by ex-Sony developers—also posted their own statements in solidarity with their former colleagues.

Ransomware attacks come with serious consequences

As noted by Kotaku, Sony's video game division faced multiple cyberattacks in 2023, though this December assault appears to be the most wide-reaching and impactful to individual developers. Developers Rockstar Games and Rocksteady Studios have also had to grapple with the theft of sensitive data on upcoming games in the last year.

Sony has been the target of major cyberattacks for the last decade, with the most comparable one to this month's being the hacking of Sony Motion Pictures in 2014. The data dumped from that assault also exposed personal information of employees and let a slew of sensitive documents pour out into the public eye.

A ransomware attack on CD Projekt Red in 2021 left some developers unable to access work systems in a critical time period for the studio, as remote work forced on the company by the COVID-19 pandemic kept them from physically gathering at the studio to work on critical fixes to Cyberpunk 2077.

Developers victimized by cyberattacks are placed in an exceptionally difficult spot during moments like this. At best, the theft of game information may deflate sales of the game or just mar the experience of sharing their work with the world.

At worst, they find themselves victimized by bad actors who immediately exploit sensitive data while watching the world pore over sensitive documents, screenshots, and game footage. It's nearly impossible to contain the spread of such information once it's proliferated—but it's worth remembering the sharing of such secrets comes with a high price.