Sony Confirms Second Data Breach in Months
New Data Breach Impacts 6,800 People
Overt Operator
October 04, 2023
Sony Interactive Entertainment (Sony) has recently sent out data breach notifications to approximately 6,800 people, described in reports as current and former employees, and their family members, alerting them about a cybersecurity breach that resulted in the exposure of personal information. The breach occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.
The specific vulnerability that was utilized is known as CVE-2023-34362, a critical-severity SQL injection flaw that allows for remote code execution, an update on the incident published by Sony on October 3 detailed.
This vulnerability has been leveraged by the notorious Clop ransomware gang in large-scale attacks that have affected numerous organizations worldwide. Sony Group was added to the list of victims targeted by the Clop ransomware gang in late June, although the company did not publicly acknowledge the incident until now.
According to the data breach notification, the compromise took place on May 28, with Sony only becoming aware of the flaw three days later on June 1 when Progress Software, the vendor for MOVEit, alerted them about the vulnerability. Sony promptly took the affected platform offline on June 2 and addressed the vulnerability. They also initiated an investigation with the help of external cybersecurity experts and notified law enforcement.
Sony has clarified that the breach was limited to the specific software platform and did not impact any of its other systems. However, personal and sensitive information belonging to 6,791 individuals in the United States was compromised. The company has individually assessed the exposed details and provided a comprehensive list in the notification letters sent to affected individuals. However, the specific details have been redacted in the version of the notification submitted to the Office of the Maine Attorney General.
To assist those affected by the breach, Sony is offering credit monitoring and identity restoration services through Equifax, media reports explained. Each recipient of the notification will receive a unique code that grants them access to these services until February 29, 2024.
In today's digital landscape, data breaches have become a significant concern for individuals and organizations alike. Sony Interactive Entertainment's proactive response to the incident, including the immediate closure of the affected platform, the engagement of cybersecurity experts, and the provision of credit monitoring services, demonstrates their commitment to addressing the breach and supporting those affected.
As cyber threats continue to evolve, all organizations must prioritize cybersecurity measures to safeguard sensitive information and protect against potential breaches.
Regular vulnerability assessments and timely responses to identified risks are essential components of a robust cybersecurity strategy.
By staying vigilant and proactive, companies can minimize the impact of potential breaches and maintain the trust of their employees and customers.