Insomniac Games alerts employees hit by ransomware data breach

Sony subsidiary Insomniac Games is sending data breach notification letters to employees whose personal information was stolen and leaked online following a Rhysida ransomware attack in November.

The California-based video game developer has been part of Sony Interactive Entertainment's Worldwide Studios division (now known as PlayStation Studios) after being acquired by Sony in August 2019.

The gaming studio's most recent project is Marvel's Spider-Man 2, released for PlayStation 5, and is currently working on Marvel's Wolverine for the same platform.

In December, Sony said they were investigating the Rhysida ransomware gang's claims that they breached Insomniac Games and stole over 1.3 million files from its network.

After negotiations failed when the game studio refused to pay the $2 million ransom, Rhysida dumped 1,67 TB of documents on its dark web leak site.

"We are saddened and angered about the recent criminal cyberattack on our studio and the emotional toll it's taken on our dev team," the studio said in a statement published on Twitter after the leak.

"We are aware that the stolen data includes personal information belonging to our employees, former employees, and independent contractors."

The leaked files include many ID scans and internal documents, such as contract information and licensing agreements with Marvel and Nvidia, as well as screenshots of Insomniac Games' upcoming Wolverine game.

As claimed on Rhysida's site, the threat actors have only leaked 98% of the files they stole from the studio after selling the rest to the highest bidder.

​Now, Insomniac Games is notifying employees whose data was stolen between November 25 and November 26 and later leaked on the Rhysida ransomware group's leak site.

"As you know, we store and maintain files containing employment information, including personal information about you. Unfortunately, these files were downloaded by an unauthorized actor and released online," the breach notification letter says.

"Once Insomniac identified the downloaded files, we began analyzing the files to determine what types of personal information were affected and to whom it relates. While we worked quickly, this was a time-consuming process, and we wanted to provide you with accurate information."

Insomniac and Sony are extending the ID Watchdog services offered as part of their employee benefits package with two additional years of complimentary credit monitoring and identity restoration beyond the current enrollment period.

The company also has a dedicated call center ready to answer any questions affected employees may have about the November ransomware attack.

A Sony spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more info on how many individuals were affected by this data breach and what personal information was leaked online.

The Rhysida ransomware-as-a-service (RaaS) operation surfaced in May 2023 and quickly gained notoriety after breaching the Chilean Army (Ejército de Chile) and the British Library.

While the U.S. Department of Health and Human Services (HHS) linked the Rhysida gang in August to multiple attacks against U.S. healthcare organizations, a joint advisory issued by CISA and the FBI warned of the group's opportunistic attacks targeting organizations across multiple industry sectors.