The catastrophe of the Insomniac hack goes way beyond leaked games

On Dec. 12, notorious ransomware group Rhysida announced it was holding a mass of Insomniac Games data hostage. If Insomniac Games wanted to keep the information from being released, it would have to pay up. Rhysida wanted 50 bitcoin (roughly $2 million) for the data — and it was willing to take that from anyone who wanted it, via an auction on its dark-web site. When the imposed seven-day deadline passed without a buyer, Rhysida posted most of the hacked data online — a massive 1.67 TB that contains more than 1.3 million files, according to cybersecurity website CyberDaily.

The data was uploaded in three separate parts, each one organized in a data catalog with an interface similar to Microsoft’s File Explorer. These files include lots of in-development materials from Insomniac’s upcoming Wolverine game, including design documents, casting information, and level designs. In-progress gameplay from Marvel’s Wolverine started to spread quickly, as did other information about the studio’s partnership with Marvel. It’s a devastating and unprecedented leak of game information, similar in scope to last year’s Grand Theft Auto 6 breach. Adam Marrè, chief information security officer at cybersecurity company Arctic Wolf and former Avalanche Software game developer, told Polygon that the Insomniac breach “appears to be one of the more significant breaches in the gaming industry.” Jonathan Weissman, a principal lecturer at Rochester Institute of Technology’s Department of Cybersecurity, told Polygon that the cyberattack and subsequent leaks are “completely unprecedented.”

But the Insomniac leak includes far, far more than just game assets. Effectively, hundreds of employees may have been doxxed.

“First, there are files from the upcoming Wolverine game and the company’s 12-year release plan,” Weissman told Polygon. “That, alone, is terrible. However, it’s much deeper than that. We’re talking about non-disclosure agreements with major companies and studios, internal developer Slack communications, internal HR documents, scanned employee passports, and more.”

Among the sensitive HR documents published by Rhysida are internal investigations and disciplinary reports, employees’ personal details (such as the passport scans), and recorded videos of meetings — even a list of employees and their T-shirt sizes. The breach puts hundreds of employees at risk in an industry that’s already hostile to developers, particularly people in marginalized groups. (Harassment and threats from players toward video game developers is a serious problem in the industry — over 75% of developers in a 2023 Game Developers Conference poll said so, with 40% of respondents having experienced it directly.)

Marrè said the extensive nature of the leak — specifically, its inclusion of employee information and communications — is atypical for the video game industry, and makes this “a more severe violation of privacy and security.” It can be compared to other large-scale hacks in other industries where employee data comes into play.

Game developer Rami Ismail told Polygon that the Insomniac leak is indeed disappointing, and it does have an impact on how a game is perceived. He said developers always say “people only know what ships,” meaning that “players will judge a game by how it ships,” not the process that led to the end result. It’s a “questionable and deeply hurtful” practice to leak unfinished game assets, Ismail said, but publishing employee information is “just straight-up evil.”

“It is horrifying to me that these game developers now have to worry about their personal information being out there,” Ismail said in an email. “I have intentionally not taken a look at the files, but I would assume these files might contain names, addresses, or other sensitive information — in which case, developers, a group already at risk of doxxing and hatred — now have to figure out how to keep themselves and their families safe.”

Rhysida, the group that hacked Insomniac and published the information online, is known to government agencies despite being a relatively new operation. The United States Department of Health and Human Services’ Office of Information Security said Rhysida operates by using phishing attacks to gain access remotely, as well as other types of attacks. The U.S. Cybersecurity and Infrastructure Security Agency also warned against Rhysida ransomware in November after the organization targeted the health care industry and government institutions. CISA declined to comment on the Insomniac hack, instead pointing toward its November notice.

Marrè told Polygon that Sony and Insomniac must improve their cybersecurity measures. “This could include strengthening network security, implementing more robust authentication processes, and conducting regular security audits and penetration testing,” he said. “Employee training on cybersecurity awareness is also vital to mitigate risks from phishing or social engineering attacks.” He suggested that the company may offer a credit monitoring service or identity theft protection program.

Weissman agreed that employee training is paramount: “The weakest link in any cybersecurity implementation will always be the humans,” he said. “It takes a single click of a link or a download and opening/running of an attachment to undo [security measures]. Needless to say, cybersecurity education and training for employees is most important.”

Image: Insomniac Games

For Rhysida, the objective appears to be money — a spokesperson for the group told CyberDaily as much. These sorts of hacks on video game companies appear to be increasing, perhaps because of the value of the information they contain. Many players clamor for any information they can get about a much-anticipated game, including leaked information, while personal data remains valuable on the dark web. Rocksteady Studios and Warner Bros. recently experienced a leak — likely from a closed alpha test — for Suicide Squad: Kill the Justice League. In December, the GTA 6 trailer was published early after a leak, and, of course, there was the in-progress footage breach before that (two teenagers were arrested and charged for the latter hack). Hackers also reportedly accessed information on The Last of Us Part 2 before it was released by exploiting a vulnerability in The Last of Us. In 2023, Microsoft and Bethesda also had a breach, but with physical copies of the game Starfield after copies of the as-yet-unreleased game were stolen from a warehouse.

In a case more similar to Insomniac’s recent breach, CD Projekt Red reported that current and former employee and contractor information was stolen in June 2021. Before that, in 2020, Capcom faced a ransomware attack that leaked game information and the personal information of hundreds of thousands of people, including customers, shareholders, and employees.

Sony Interactive Entertainment has not responded to Polygon’s request for comment on how it plans to protect its employees in the future.