Image credit: Rawpixel via Freepik
In a recent disclosure, Sony Interactive Entertainment (Sony) has confirmed a cybersecurity breach that impacted thousands of current and former employees. This incident has drawn attention due to its resemblance to a plotline from a cyber espionage thriller.
How the Breach Panned Out
Sony has taken the initiative to notify approximately 6,800 individuals, including employees and their family members, regarding a data breach that transpired after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform. This critical-severity SQL injection flaw, identified as CVE-2023-34362, led to remote code execution and was wielded by the Clop ransomware group in large-scale attacks, affecting numerous organizations worldwide.
The breach timeline is noteworthy. On May 28, 2023, the intrusion occurred. However, Sony only learned about it three days later from Progress Software, the MOVEit vendor. It was not until early June that Sony detected the compromise, discovering unauthorized downloads on June 2. In response, the company swiftly took the platform offline and proceeded to remediate the vulnerability. Furthermore, Sony initiated an investigation in collaboration with external cybersecurity experts and promptly notified law enforcement agencies.
Impact and Response
Sony was quick to emphasize that the breach was confined to the specific software platform and did not extend to any other systems within the company. Nevertheless, sensitive information belonging to 6,791 individuals in the U.S. was compromised. Sony meticulously determined the exposed details and listed them in individual notification letters. The information was redacted in the sample submitted to the Office of the Maine Attorney General.
As a response to the breach, Sony is offering credit monitoring and identity restoration services through Equifax. Each affected individual will receive a unique code, valid until February 29, 2024, to access these services.
A String of Incidents
This breach marks the latest in a series of cybersecurity incidents plaguing Sony. Last month, the company faced allegations on hacking forums, suggesting that it had fallen victim to a breach resulting in the theft of 3.14 GB of data from its systems. Sony responded by promptly launching an investigation into these claims.
The leaked dataset contained sensitive information, including details related to the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more. Sony confirmed the breach in a statement, revealing that it was tied to a single server located in Japan. This server was primarily used for internal testing within the Entertainment, Technology, and Services (ET&S) business. Fortunately, there was no evidence of customer or business partner data stored on the affected server. No adverse impact on Sony’s operations was reported.