Insomniac Games, the developer of popular titles such as Marvel’s Spider-Man and Ratchet & Clank, has been hit by a ransomware attack that resulted in the leak of confidential data, including details of upcoming games, contracts, and personal information of staff.
The ransomware group Rhysida claimed responsibility for the attack and demanded 50 BTC, or around $2 million, from Insomniac within seven days. The hackers threatened to release 1.67 terabytes of data, made up of more than 1.3 million files, if the ransom was not paid. Insomniac refused to comply with the demand, and Rhysida followed through with their threat on Tuesday, dumping the data on their leak site.
Wolverine, Venom, X-Men and more revealed
Among the leaked data are videos and images showing early footage of the upcoming Marvel’s Wolverine game, which was announced in September 2021. The data also reveals the game’s cast, locations, plot, and target release date of 2026. Additionally, the data contains information about other planned games from Insomniac, such as:
- Marvel’s Venom: Lethal Protector, a spin-off game that leads into Spider-Man 3, set to release in 2025
- Marvel’s Spider-Man 3, the sequel to Spider-Man 2, set to release in 2028
- A new Ratchet & Clank game, set to release in 2029
- Marvel’s X-Men, a new franchise based on the mutant superheroes, set to release in 2030
- An untitled new IP, set to release in 2031/2032
The data also includes an extended roadmap that shows multiple X-Men games and a second new IP game planned for 2035. Furthermore, the data reveals Insomniac’s multiplayer ambitions, which include Spider-Man 2 Online for 2024, Wolverine Online for 2026, and X-Men Online for 2028.
Contracts, budgets, and personal data exposed
The data breach also exposed sensitive information such as contracts, budgets, and personal data of Insomniac staff. The data includes a contract signed by both Marvel and Sony for future projects, software licensing agreements with Nvidia, and details of the company’s royalty bonus plans. The data also shows the development budget for each game, which ranges from $120 million to $150 million.
The personal data of Insomniac staff includes passport information, Slack messages, email addresses, and phone numbers. The hackers also claimed to have a bootable build of Wolverine, which could potentially be used to run the game on unauthorized devices.
Sony and Insomniac respond to the breach
Sony, the parent company of Insomniac, issued a statement saying that it had launched an investigation into the breach and confirmed that no other Sony divisions were affected. Sony also said that it was working with law enforcement and cybersecurity experts to mitigate the impact of the breach and prevent further leaks.
Insomniac also released a statement on its official Twitter account, apologizing to its fans, partners, and employees for the breach. Insomniac said that it was deeply saddened by the attack and that it was doing everything possible to protect its data and assets. Insomniac also thanked its supporters for their understanding and patience.
The impact of the breach on the gaming industry
The data breach of Insomniac Games is one of the largest and most damaging in the history of the gaming industry. The breach not only compromises the security and privacy of Insomniac and its staff, but also spoils the surprise and excitement of its upcoming games for millions of fans. The breach also poses a threat to the intellectual property and competitive advantage of Insomniac, as the leaked data could be used by rival developers or malicious actors.
The breach also raises questions about the cybersecurity practices and preparedness of the gaming industry, which has been increasingly targeted by ransomware groups in recent years. In 2021, CD Projekt Red, the developer of Cyberpunk 2077, was also attacked by a ransomware group that leaked source code and internal documents. Other gaming companies, such as Ubisoft, Capcom, and Electronic Arts, have also suffered data breaches in the past.
The breach also highlights the need for more awareness and education among gamers and consumers about the risks and consequences of data leaks. While some gamers may be tempted to view or download the leaked data out of curiosity or excitement, they should be aware that doing so could expose them to malware, phishing, or legal action. Moreover, gamers should respect the hard work and creativity of the developers and avoid spoiling the games for themselves and others.
