Cloud Imperium Games (CIG), a British gaming company, knew for over a month that its customers' personal information had been accessed by hackers. It seems the company doesn’t see this data breach as that much of a big deal.

In a service alert posted by its parent company, Robert Space Industries, the company said that it identified a “systematic and sophisticated attack” on January 21st, 2026.

However, the firm disclosed a data breach that affected customers’ personal information only this week.

The breach resulted in “unauthorized access to some backup systems” and “limited access to users’ personal data.”

The company hasn’t disclosed how many people were affected by the breach and hasn't yet sent notification emails to those affected.

Cybernews has reached out to CIG for comment.

CIG has sat on this information for over a month and has only reluctantly posted a data breach notification on its parent company’s website.

This service alert hasn’t been posted directly on CIG’s website, suggesting the company may be hiding the information from its customers.

In a forum thread found by The Register, which first reported the story, users have asked, “Where is the email and front page notice?”

The British gaming company has tackled the issue in an unjustifiably nonchalant manner, adding insult to injury by suggesting that the data breach isn’t a big deal.

“While CIG is still monitoring the situation, we do not consider that the incident poses a risk to the safety of our users.”

This statement alone is alarming, as users could conclude that the company knows nothing about the potential dangers of this data breach.

The gaming company continues by saying that the data impacted relates only to basic account details, such as metadata, contact details, usernames, dates of birth, and names.

CIG seems to think that because the attackers had no access to financial information or users’ passwords, customers will be safe from harm.

However, the exposed information could be enough to launch a phishing campaign that could easily swindle customers.

Using this information, bad actors could impersonate legitimate companies, such as CIG, and ask users for more personal information, including passwords and financial data.

From there, hackers could use this information to access customers’ accounts and ultimately steal their cash.

Even if this information isn’t enough to trick CIG customers into revealing more sensitive information, hackers could obtain information from the darkest recesses of the web or buy data from other hackers to create a more comprehensive profile of their target.

Despite this, CIG is confident that nothing nefarious has resulted from the data breach.

“We are also taking steps to assess and detect whether any data that was accessed is released publicly. At this stage, there are no indications of any such activity,” RSI said in an announcement.

CIG’s very nonchalant approach doesn’t seem to be assuring any of its customers.

When discussing responsible disclosure on the RSI forum, one user said that “This is [expletive] amateur CIG, this is [expletive] amateur.”

“I honestly regret every dollar I gave to you. Not because of the state of the game, but the seemingly incapable management of nearly every area of the game.”

“How in the world is this not a notice on the front page? This should not be buried,” another frustrated gamer asked.

“Security breaches MUST be communicated within 72 hours regarding GDPR. Address, real name, and birthday are critical data regarding the GDPR and not just basic info. You broke the law, CIG. And you are so cowardly to hide it and not post it on the front page. Sorry, CIG, this is bad behavior!”

GDPR stands for the General Data Protection Regulation, the EU’s data protection and privacy rules.

---

Unlock more exclusive Cybernews content on YouTube.