Data theft for ransom, much like ransomware, is becoming a common tool to use against corporations. Taking or encrypting (suspected)important files and then asking for money just seems like the thing to do these days. In some cases (like more than a few medical centers) we find that the organization has no back up of the data and are forced to pay the demanded ransom (and then hope they get the decryption code). In the case of data theft with the threat of publication things are a little different, but follow a similar pattern. The organization has to decide if the information is important enough to give into demands. CD Projekt RED has determined that they are not.
Now here is where our suspicious minds come into play. If the documents in question are old and not important, why release the information about it? Right now there is no notice that we can find of a pending release and other than the tweet we have not found any references to the theft. To me giving out this information seems more of an admission of an insecure network, or careless document handling practices. If it was intended to be defiant, that is not the tone we are getting.
We also have noticed that most of the articles about the tweet cover what little information there is about Cyberpunk 2077. It is great press to be sure and could be a big reason that the tweet was sent out. Maybe they want the buzz about the game and people looking for information on what to expect from it. It would be a smart marketing move to use this bad situation and turn it into some free press on an upcoming game. Either way we are sure that some enterprising (and malicious) individuals are already hard at work building malware into some fake documents just to take advantage of those people hungry for info on Cyberpunk 2077.
It should be very interesting to see how fans react if they get malware from searching for stolen (old) information on a future game...