Sony Confirms Data Breach Impacting Thousands in the U.S.

Cyber Security Threat Summary:
Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.

“The zero-day is CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution, leveraged by the Clop ransomware in large-scale attacks that compromised numerous organizations across the world. Clop ransomware gang added Sony Group to its list of victims in late June. However, the firm did not provide a public statement until now. According to the data breach notification, the compromise happened on May 28, three days before Sony learned from Progress Software (the MOVEit vendor) about the flaw, but it was discovered in early June. “On June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability,” reads the notice. “An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony says in the data breach notification (BleepingComputer, 2023).

Security Officer Comments:
Sony has clarified that the incident was confined to the specific software platform and did not affect any of its other systems. However, the personal and sensitive information of 6,791 individuals in the U.S. was compromised. The company has meticulously identified the exposed details and provided a list of them in individual letters. The notification sample submitted to the Office of the Maine Attorney General has redacted this sensitive information. Recipients of the notification are now being offered credit monitoring and identity restoration services through Equifax. They can access these services using a unique code provided to them, and this offer is valid until February 29, 2024.