Sony Interactive Entertainment (Sony) recently informed current and former employees, as well as their families, of a data breach that exposed private data.
The company notified around 6,800 people about the data breach, confirming that the attack occurred when an unauthorised party exploited a zero-day vulnerability in the MOVEit Transfer platform.
The Clop ransomware took advantage of the zero-day, CVE-2023-34362, a critical-severity SQL injection vulnerability that can result in remote code execution, in massive attacks that affected several organisations across the world.
The intrusion took place on May 28, three days before Sony was informed of the vulnerability by Progress Software (the MOVEit vendor), according to the data breach notification, although it wasn't discovered until early June.
The notice states that “on June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability.”
“An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony further explained in the data breach notification.
Sony claims that the problem was confined to a particular software platform and had no bearing on any of its other systems.
Yet 6,791 Americans' private data was compromised, including sensitive information. Although each letter from the firm contains a list of the exposed facts, the sample notification provided to the Office of the Maine Attorney General has them suppressed.
Now that they have received a notification, the recipients can sign up for Equifax's identity protection and credit monitoring services by providing their special access code through February 29, 2024.
Following claims on hacking forums that Sony had experienced another security breach and that 3.14 GB of data had been taken from the company's servers, the firm responded by stating that it was looking into the allegations.
The SonarQube platform, certifications, Creators Cloud, incident response guidelines, a device emulator for creating licences, and other information were all included in the leaked material, which at least two distinct threat actors owned.
The following statement, which a Sony representative provided to BleepingComputer, confirms a small security breach:
A Sony spokesman confirmed the following security breach to BleepingComputer:
"Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business.
Sony has taken this server offline while the investigation is ongoing.
There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony's operations."
This proves that Sony experienced two security lapses during the previous four months.