Sony’s 6,791-User Data Breach: Explore the timeline and aftermath of a recent data breach affecting thousands.
Sony Interactive Entertainment (Sony) directly informed current and former employees, as well as their family members, about a cybersecurity breach that exposed their personal information. The company sent data breach notifications to approximately 6,800 individuals, confirming that an unauthorized party had exploited a zero-day vulnerability in the MOVEit Transfer platform to carry out the intrusion.
This particular zero-day vulnerability, known as CVE-2023-34362, is a critical-severity SQL injection flaw that can lead to remote code execution. The Clop ransomware group leveraged this vulnerability in large-scale attacks, compromising numerous organizations worldwide. Sony Group was added to the list of victims by the Clop ransomware gang in late June, though the firm refrained from making a public statement about the incident until now.
According to the data breach notification, the compromise took place on May 28, three days before Progress Software, the MOVEit vendor, alerted Sony about the flaw. However, Sony itself discovered the vulnerability in early June. The notice states, “On June 2, 2023, we identified unauthorized downloads, promptly took the platform offline, and addressed the vulnerability.”
Sony launched an investigation with assistance from external cybersecurity experts and also notified law enforcement, as outlined in the data breach notification. The company underscores that the incident exclusively impacted the specific software platform and did not affect any other systems.
Nevertheless, the breach compromised sensitive information for 6,791 individuals in the U.S. Sony individually assessed and listed the exposed details in personalized letters for each recipient, with some information redacted in the notification sample submitted to the Office of the Maine Attorney General.
Notification recipients are now eligible for credit monitoring and identity restoration services through Equifax, which they can access using their unique code until February 29, 2024.
Sony’s Confirmation and Actions Taken
Sony confirmed the occurrence of a limited security breach in a statement issued to BleepingComputer. As per their statement, the investigation, conducted in collaboration with third-party forensic experts, pinpointed suspicious activity on a specific server located in Japan. This server had predominantly served as an internal testing ground within the Entertainment, Technology, and Services (ET&S) business division. In response, Sony promptly took the affected server offline while the investigation remains in progress.
Importantly, the investigation yielded no evidence to suggest that customer or business partner data was stored on this particular server. Furthermore, there is no indication that this incident has had any adverse impact on other Sony systems, and the company’s operations remain unaffected. This incident marks the second security breach Sony has experienced in the last four months.
Story credit