Sony Confirms Data Breach Affecting Thousands in the U.S.: Sony Interactive Entertainment (Sony) has recently disclosed a significant cybersecurity breach affecting thousands of individuals in the United States.
This breach stemmed from the exploitation of a zero-day vulnerability in the MOVEit Transfer platform, resulting in unauthorized access to personal information.
Key Takeaways TO Sony Confirms Data Breach Affecting Thousands in the U.S.:
Table of Contents
- Data Breach and Exploited Vulnerability: Sony has reported a data breach impacting approximately 6,800 current and former employees and their family members. The breach was facilitated by an unauthorized party exploiting a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer platform.
- CloP Ransomware Involvement: The zero-day vulnerability in question led to remote code execution and was exploited by the Clop ransomware gang. This group has previously targeted various organizations worldwide in large-scale attacks.
- Response and Impact: Sony detected the breach on June 2, 2023, promptly took the affected platform offline, and initiated an investigation with external cybersecurity experts. The breach was contained within the software platform, with no impact on other Sony systems. However, the sensitive information of 6,791 individuals in the U.S. was compromised.
Data Breach and Vulnerability Exploitation
Sony has officially reported a significant data breach impacting a substantial number of individuals in the United States.
The breach resulted from an unauthorized party exploiting a zero-day vulnerability (CVE-2023-34362) found in the MOVEit Transfer platform. This vulnerability is classified as a critical severity and allows for SQL injection, leading to remote code execution.
It has been utilized in attacks orchestrated by the Clop ransomware gang, affecting numerous organizations worldwide.
Timeline of the Breach
The breach occurred on May 28, and Sony became aware of the vulnerability through the MOVEit vendor, Progress Software, three days later. Immediate action was taken, and the platform was taken offline on June 2.
Sony initiated an investigation, involving external cybersecurity experts, and promptly notified law enforcement agencies regarding the breach.
Impact and Response
While the breach was limited to the specific software platform, it had severe consequences for 6,791 individuals in the U.S. Sony has individually assessed the exposed details but has censored this information in the notification submitted to the Office of the Maine Attorney General.
As a response to the breach, the affected individuals are being offered credit monitoring and identity restoration services through Equifax. These services will be accessible using unique codes provided until February 29, 2024.
Recent Breach and Investigation
Sony faced allegations of another breach in the past month. Claims arose on hacking forums suggesting that 3.14 GB of data had been stolen from the company’s systems. This dataset contained information related to the SonarQube platform, certificates, Creators Cloud, incident response policies, and more.
Sony responded by confirming a limited security breach, clarifying that it was investigating the incident. The breach was linked to a single server in Japan used for internal testing for the Entertainment, Technology, and Services (ET&S) business.
Importantly, there was no indication that customer or business partner data was stored on this affected server, and it did not impact Sony’s operations.
Conclusion
Sony has faced two security breaches within a four-month period, underscoring the persistent challenges posed by cybersecurity threats. Immediate detection, response, and notification to affected parties are crucial in mitigating the impact of such breaches.
About Sony:
- Sony Interactive Entertainment (Sony): Sony Interactive Entertainment is a subsidiary of Sony Corporation and is responsible for the development, production, and distribution of video game hardware, software, and services. It operates under the PlayStation brand.
