Thousands Impacted as Sony Confirms Data Breach in the U.S

Usama AnjumLast Updated: Oct 5, 2023

Cybersecurity issues have been on the rise with hackers even targeting some of the world’s biggest companies. In this regard, Sony Interactive Entertainment (Sony) became a victim of a phishing attack recently. The company informed its current and former employees along with their family members about a cybersecurity breach that exposed personal information. According to the details, the company sent the data breach notification to around 6,800 individuals. Furthermore, it confirmed that the intrusion took place after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.

The zero-day vulnerability, officially entitled CVE-2023-34362, showcases a critical SQL injection vulnerability. Thus, exploiting this flaw allows remote code execution, and it has been utilized by the Clop ransomware in large-scale attacks that have successfully compromised several organizations worldwide.

As per a source, the Clop ransomware group added Sony to its list of victims in late June. However, the company didn’t provide a public statement to date. The data breach notification stated that the phishing attack took place on May 28, three days before the company learned from Progress Software (the MOVEit vendor) regarding the flaw. According to the notice sent by Sony,

On June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability. An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement.

Furthermore, the company said that the attack was limited to a specific software platform and had no effect on any of its other systems.

Nevertheless, the personal information of around 6,791 US citizens was compromised. The company has individually defined the leaked details and listed them in each of the individual letters. However, it is hidden in the notification sample delivered to the Office of the Maine Attorney General.

The notification recipients are now provided credit monitoring and identity restoration services via Equifax, which they can access by utilizing their unique code until February 29, 2024.