The Insomniac Hack

The Insomniac Hack

Insomnac have been hacked, the latest company to fall afoul of a ransomware scheme. With data now released to the public, we're going to talk about how we cover it - and how you should take caution with your consumption of any information.

Conor Caulfield

A 2 Million Dollar Ransomware was not paid by Sony, which has meant that 1.3 million documents relating to Insomniac Games are now on the internet.
These detail the personal information and details of many staff, as well as internal documents, game builds and plans for the next 10 years of development at the studio.
Make no mistake, this hack has done incredible damage already, and will continue to do so.

Today we’re going to take you through what happened, refresh you on our position around reporting on hacks like this and address some of the more newsworthy elements that have appeared. This is the kind of reporting that takes time and consideration, which is why we’ve delayed running this story to get a proper handle of the facts: and that’s only possible with your support.

This is An Active Hack, Not A Passive Leak

  • Insomniac was hacked last week.
    • Around 1.7 terabytes of data was stolen, and then ransomed against the company.
  • The ransomware group Rhysida threatened to release data last week unless their $2m ransom was met by Sony.
    • It wasn’t.
  • Rhysida are now claiming 98% of "not sold" data is now publicly available, resulting in 1.3 million sensitive documents from Insomniac internal servers floating around.
  • Unfortunately, this has been said to include everything from a bootable build of Wolverine, to detailed plans for the next decade of games, to employee passport scans and personal documentation.
  • This does not just affect current staff at the company (who are hopefully now being supported in the significant amount of emergency administrative work they’re going to be required to do over the holiday break) but also ex staff whose information was still on file somewhere.
  • We will be seeing the repercussions of this leak for years.
    • If nothing else, following this Hack there is going to be a massive infosec overhaul at Insomniac and probably Playstation, something that is going to be incredibly disruptive.
    • While staff have to reset credit cards, work out whether they now have to move because their home addresses are available and deal with so many potential risks.
  • The choice of Hack is an important point of framing and wording.
    • This is not a passive leak - which implies a screen seen on public transport, an email sent to the wrong person or someone talking about the wrong thing in a bar.
    • This is an active hack - where a group of actual mercenary hackers illegally accessed systems including personal data and then attempting to use that to blackmail a company.
  • And in particular it’s a devastating hack - one that is reminiscent of the early 2020 Capcom Ransomware attack or the GTA VI Hack, both of which reveal the plans for years of development from a single company.

How We Intend to Cover This Sort of thing - Why Others Won’t (And That’s Okay)

  • The hacked and distributed information is one thing, but coverage around them has become a story in and of itself.
  • Overall the sheer fact that there's so much engagement is probably a good thing - we want an audience for games who are engaged and interested in how these things work.
  • So breaking it down:
    • For some there is no ethical way to cover any aspect of this hack - as a result of benefitting from reporting that it happened.
    • For others - the Hack as an event can be covered, but to dig into the details in any way is to further the harm done by the ransomware gang.
      • Fruit of the Poisoned Tree is the usual metaphor.
    • And then there’s the more complex position. That the hack is a valid story, as are the contents that don’t relate to personal information, because the press shouldn’t be beholden to a company’s desires.
      • Otherwise there’s a question of what is reporting and what is PR as articulated excellently by Riley McLeod at Aftermath is:
If how an upcoming game looks is important and worth reporting on, then isn’t that true even when we’re not given permission to say so by PR departments?
  • There are many arguments about this because there is not one ethical position that is correct. Instead, it is a conversation, one that each outlet has to have internally and stand behind.
  • One we had ourselves (again) when choosing how to cover this.
    • We are not the games industry on this channel - and while we do intend to surface the views of a variety of developers and represent them to the audience fairly and honestly, that doesn’t mean we’re always going to approach events in the same way they will.
  • For us then - following on from how this went last time with Rockstar.
  • This is a malicious, criminal hack that has released the personal details of current and ex-Insomniac employees in a way that actively threatens their livelihoods and potentially homes at the worst possible time of year.
    • That has to be the starting point.
  • The information from the hack is public, that cannot be undone, you’re going to see things about Sony and Insomniac and others - we can at least explain how you should understand these and what any of it means.
    • In particular, how these can be understood responsibly.
  • There are things we’ll approach in more detail as a result, but these will be broadly limited to Sony internal corporate information that is about the wider industry.
  • There is minimal newsworthiness for this channel in talking about the next ten years of Insomniac outside of that, or specifics about which games have leaked and how.
  • Our position is a judgement on whether our reporting will bring harm to an individual (not the same thing as a company, despite what the American legal system suggests) and whether there is an element of the story we can educate our audience about in a responsible way.
  • From Michael - I think some are being reactionary in how they come down on this, aren’t applying their principles fairly across different hack stories, and some are, to me, playing to or falling foul of in-group bias. Yes, a dev may not like us covering Sony’s corporate stuff. And that’s okay. But we’re the press.
  • Be it people going after Ash Parish for explaining the basics of how journalism works, or other examples, this rapidly go f’ing stupid, as things on the internet can do.

The Things Worth Talking About

  • The Caveat:
    • Much as when we covered the accidental leaks of Xbox’s line-up back in the summer or the active hack of Rockstar, every piece of information discussed here is only as valid as the day it was written down.
    • The industry (especially post covid) changes so fast that any of this can be scrapped at any time.
  • As such, in development gameplay, scripts, character designs and even game pitches are functionally not that interesting to us.
    • Odds are the final result will be significantly different than what is in this information.
  • What we can talk about are retrospective numbers, feelings and how these can be interpreted.
  • We’ll do our best to set this in context because frankly, there isn’t any for most of this and that’s it’s own barrier to being useful.
  • With that in mind, let’s see what’s worth investigating.

General Sales Numbers:

  • Believed to be from late February 2022, so space afterwards to account for the shift to Playstation Plus Premium libraries and many of these games being available there.
  • Things worth noting -
    • Lifetime to date digital sales are far lower than might have been expected for many titles, with MLB 21 being a high point.
      • This increases in the PS5 era, which makes sense considering pandemic and the digital only version.
    • What you can see mostly is that Playsation games are selling well.
    • But there are some oddities you might not expect.
      • Horizon outsold everything that wasn’t God of War or Spider-Man on PS4 (including Last of Us 2 and Uncharted 4) which explains Sony leaning on that franchise for VR titles, Transmedia opportunities and an upcoming co-op multiplayer.
      • Bloodborne is in there with 7m units sold lifetime, about as much as Days Gone
      • Remasters and PS5 ports routinely do well - Ghosts of Tsushuima PS5 ending up making nearly a quarter of the original release in sales.
  • But this is just one piece of the puzzle.
  • Knowing how much a game sold is one thing - how much it earned compared to development is another.
  • One of the images that have gone viral is this slide seemingly showing Insomniac Games Return on investment (including projections for future titles)
  • Please let your eyes water at the projected costs of AAA game development in the 2020s being at minimum $300M.
    • Though it also helps to know that Marvel has seemingly committed $120m to each of the titles they’ve commissioned from Insomniac alongside a $9m advance in exchange for exclusivity around the licenses and healthy royalties 0f 9-18% digital sales or 19-26% on physical sales.
      • As well as a get-out clause of being able to cancel the contract if any project fails to sell at least 6m copies in the first year.
    • These licensed games in particular are heavily subsidised, which impacts that minimum costs.
  • Now - this has some big numbers on it - but the one everyone focussed on was that loss.
    • The suggestion that Ratchet & Clank: A Rift Apart had in fact been a 10% loss on the investment.
  • Obviously - that’s news in many ways, as that game was a flagship for the PS5 in showcasing the SSD.
  • But it ignores a couple of points of context.
    1. Loss leaders are a thing, especially as tech is developed for new consoles, which could explain all of this.
    2. But also there’s no date on this slide.
  • So when we go back and we look at our general sales numbers - Lifetime to Date in February 2022 is $145m.
    • Ratchet & Clank: A Rift Apart is fine.
    • This slide is showing current projections before R&C even came out.
  • This hopefully highlights the importance of taking all of this in the proper context - each individual element is difficult without the next.
  • With that in mind, let’s start drilling down.

The PC Gaming Angle:

  • Details from February 2023
    • Sony is doing very well out of it’s PC Ports on Steam alone
    • Multiple millions of Sales over the course of 1.5 years for H:ZD, GoW and Days Gone, while Spider-Man hit that 1m marker in six months.
  • What we can probably see is that it isn’t necessarily enough for Playstation to just drop a game on Steam.
    • This would have been compiled before or around the launch of Returnal
    • But niche titles (or those that haven’t had massive marketing pushes or brands behind them) are not hitting in the same way as the three 1.5 year old games.
  • So what can we take away? Steam for Playstation is successful. Not necessarily for all games, but in building up a library on the platform - some of these are just going to sell better than others.
    • When Sackboy’s launch competition, genre mismatch and lack of brand recognition on the platform are taken into account, it’s a sign that Sony might need to actively get involved in some
  • This was something people had broadly already internalised by looking at Steam player numbers.
  • There are numbers floating around that we haven’t been able to see hard sources for - that suggest things like a $4.6m projected budget for Spider-Man 2 on PC, while Miles Morales only cost $1.5m.
  • Overall - it suggests that the PC ports are effectively free returns on investment for the most part.
    • But Sony’s investment in this wider ecosystem isn’t necessarily about taking the fight to Microsoft.

The Wider Industry Context

  • One of the most important things we’ve seen though are slides which reveal how Sony feel about the general console space - and the Activision Acquisition.
  • These are not surprising things to read.
    • Mostly because if we can come up with this Analysis, someone Sony is paying more highly than us definitely can.
    • But it is worth noting that even when they’re not grandstanding for regulators, Sony are explicitly talking about the potential for Xbox to come back from behind in the console race.
  • The details of how this could work are thus worth digging into.
  • TImeframe - some point after the announcement of the merger but based on the framing of “timing and in game differential as the weapons” some point before they had a legal confirmation that there would be complete parity between consoles.
    • Gamepass is still a threat because of potential day one drops for Call of Duty and this being spread across PC and Console.
    • The Leapfrog potential comes from multiple places - The acquisition of a suite of live service games, the ability for mobile scaling with King (recently made even more important with the Epic/Google ruling) and then a self sustaining PC storefront with Battle.net.
Sony’s Pillars are already dated and behind the competition.
  • Again, we know this from context. Sony doesn’t have a live service background. They don’t have a mobile infrastructure (despite trying multiple times) and they don’t have a PC background.
    • While they’re succeeding on console, they’re being outmanoeuvred elsewhere.
  • In the areas that they aren’t yet challenging Microsoft, that’s one thing.
    • But Subscription services should be another.
  • PSPlus in all it’s options is a halfway house between a service that lets you play online and the sheer quantity of games that Gamepass gives on day one.
    • Sony know this and so they simply won’t compete with Gamepass on their terms
Premium Content - Expectation of free, best-in-class games creates unsustainable model. Monthly and incremental subs won’t cover investment. Unified mobile, PC, console experience doesn’t exist. Form Factor and Computer power are too diverse.
  • Again, none of this is new, but it is being written down.
    • The Gamepass model of multiple platforms all getting “free” games at launch simply doesn’t work for them - as they believe it wouldn’t be a sustainable investment.
  • Compare this to a recent statement from Phil Spencer in an interview with Windowscentral:
We have a service that is financially viable, meaning it makes money, in Game Pass. We've put a lot of money into the market, over a billion dollars a year supporting third-party games coming into Game Pass.
  • So like we’ve been arguing for a while, Sony and Xbox are simply taking entirely different approaches to success.
  • Sony are going to stick with their premium model - likely even in their Live Services when they eventually come out.
    • This is why they can cancel six of them and frame it as “ensuring quality”
  • While Microsoft will be able to take every approach otherwise.
  • The fallout from these hacks will likely continue for the next few months, both in personal impact on staff at Insomniac and Sony and in ongoing corporate information coming out from these documents.
    • So keep the things we’ve discussed above in mind - and approach both of those scenarios with care and thoughtfulness.
NewsThe News - Now!Free!

You might also like

Michael Bell
Members Public

Microsoft F'd Around & Found Out

Ad Free Video! Microsoft is having one hell of a week with this triple whammy. One: Mass unionization. Bethesda and World of Warcraft devs are banding together. Two: The FTC is breathing down their necks, accusing them of 'product degradation.' And three: The Halo TV show? Cancelled after season 2.

Conor Caulfield
Members Public

Loading Screen: Video Game Voice Actors Are On Strike

Voice Actors in the Video Game Industry are on strike! What does this mean for you? Do you need to stop playing your favourite titles? Today we go through all that and more.