Sony Confirms Data Breach Impacting Thousands in the U.S.

Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information.

The company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.

The zero-day vulnerability, known as CVE-2023-34362, is a critical-severity SQL injection flaw that leads to remote code execution. The Clop ransomware gang leveraged this vulnerability in large-scale attacks that compromised numerous organizations worldwide.

Sony Group became a victim of the Clop ransomware gang in late June, although the company did not release a public statement until now.

According to the data breach notification, the compromise occurred on May 28, three days before Sony was informed by Progress Software, the vendor of MOVEit, about the vulnerability. Sony discovered the flaw in early June.

“On June 2, 2023, we discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability,” reads the notice.

“An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony states in the data breach notification.

Sony confirms that the incident was limited to the MOVEit Transfer platform and did not impact any of its other systems.

However, sensitive information belonging to 6,791 people in the U.S. was compromised. Sony has individually determined the exposed details and listed them in each individual letter, but the notification sample submitted to the Office of the Maine Attorney General has censored the details.

The notification recipients are now being offered credit monitoring and identity restoration services through Equifax. They can access these services using their unique code until February 29, 2024.

Sony’s More Recent Breach

Last month, there were allegations on hacking forums that Sony had been breached again, with 3.14 GB of data stolen from the company’s systems. Sony responded by stating that they were investigating the claims.

The leaked dataset, held by at least two separate threat actors, contained details for the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more.

A Sony spokesperson shared the following statement with BleepingComputer, confirming a limited security breach:

Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business.

Sony has taken this server offline while the investigation is ongoing. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony’s operations.

This confirms that Sony has experienced two security breaches in the past four months.