Last week Sony and Insomniac had to make the unfortunate announcement that Insomniac had suffered a massive security breach that resulted in around 1.6TB of data being stolen. Among the data was the personal information of numerous Insomniac employees, along with the company’s plans for upcoming games.
Ransomware group Ryhsida claimed to be behind the breach and demanded a payment of 50 Bitcoins – worth around $2 million – within a week or they would release everything they had acquired.
Today, Ryshida carried out their threat and has released the data. It is currently unknown if Sony and Insomniac paid the ransom demand and Ryshida simply went ahead with their plan regardless. However, anyone was welcome to bid on the data and it seems that somebody did. As reported by Cyberdaily, only 98% percent of the total data stolen has been uploaded, with the remaining 2% going somewhere else.
It’s typically a roll-of-the-dice on whether paying the ransom will work or not, and that’s because there’s a strange honor-among-thieves type of logic at work. You might assume that criminals launching ransomware attacks would simply take the money and then release the data anyway. However, if ransomware groups did that consistently company’s would stop paying ransoms altogether, figuring it would be best to simply deal with the leak rather than have to deal with the leak AND lost a chunk of money. And so, it’s actually in a ransomware group’s best interest to hand the data back if they get paid – they gain nothing from keeping the data, as typically most company’s refuse a second ransom demand.
In 2020, Proofpoint’s State of the Phish report delved into the statistics behind ransomware attacks. It found that 70% of the organization’s that paid the ransom did actually get their data back. However, in the 30% that remained there were 22% who paid the ransom and never got access to their lost data.
Whether Sony and Insomniac paid the ransom or not, the resulting data leak is massive, including a product schedule that goes all the way to 2035, revealing a host of unannounced Insomniac titles. Far more worrying was that the data contained passport scans, HR documents and much more, all potentially devastating to innocent people.
Out of respect to Sony and Insomniac I will not discuss in any detail exactly what was leaked. There are plenty of places already providing breakdowns of what was contained in the trove.
Hopefully Sony and Insomniac can learn from this harsh lesson and beef up their security in order to stop anything like this happening again.