Sony Interactive Entertainment (Sony) has informed current and former employees as well as their family members regarding a cybersecurity breach that exposed personal information.
The company has issued data breach notifications to approximately 6,800 individuals, confirming that the breach occurred when an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform. The specific zero-day vulnerability is identified as CVE-2023-34362, which is a critical-severity SQL injection flaw leading to remote code execution. This vulnerability was exploited by the Clop ransomware group in large-scale attacks affecting numerous organizations worldwide.
Sony Group was added to the list of victims by the Clop ransomware gang in late June, although the company did not publicly acknowledge the breach until now. According to the data breach notification, the compromise took place on May 28, three days before Sony was alerted by Progress Software, the vendor for MOVEit, about the vulnerability, although Sony discovered it in early June.
The notification stated, “On June 2, 2023, we identified unauthorized downloads, immediately took the platform offline, and remediated the vulnerability.” Sony also launched an investigation with the assistance of external cybersecurity experts and notified law enforcement.
Sony clarified that the incident was confined to the specific software platform and did not impact any of its other systems. Nevertheless, personal information of 6,791 individuals in the United States was compromised. The company individually identified the exposed details and provided them in individual letters, although the notification sample submitted to the Office of the Maine Attorney General redacted this information.
Notification recipients are now being offered credit monitoring and identity restoration services through Equifax, which they can access using their unique code until February 29, 2024.
Regarding a more recent breach, Sony responded to claims on hacking forums that it had suffered another breach, resulting in the theft of 3.14 GB of data from its systems. Sony acknowledged these claims and stated that it was investigating the situation. The leaked dataset contained details related to the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more.
A Sony spokesperson provided a statement confirming a limited security breach, saying:
Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business.
Sony has taken this server offline while the investigation is ongoing. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony’s operations.
This confirms that Sony has experienced two security breaches within the past four months.