Sony Interactive Entertainment (Sony) has notified current and former employees and their families of a cybersecurity breach that exposed personal information.
The company sent the data breach notification to about 6,800 people, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.
The zero-day is CVE-2023-34362, a critical SQL injection flaw that leads to remote code execution, exploited by Clop ransomware in large-scale attacks that compromised numerous organizations around the world.
The Clop ransomware gang added Sony Group to its list of victims in late June. However, the firm has not made a public statement so far.
According to the data breach notification, the compromise occurred on May 28, three days before Sony learned of the flaw from Progress Software (MOVEit’s vendor), but was discovered in early June.
“On June 2, 2023, we discovered the unauthorized downloads, immediately took the platform offline, and fixed the vulnerability,” the notice reads.
“An investigation was then launched with the help of external cybersecurity experts. We also notified the authorities,” Sony says in the data breach notification.
Sony says the incident was limited to one particular software platform and had no impact on any of its other systems.
Even so, confidential information belonging to 6,791 people in the United States was compromised. The details exposed were individually determined by the firm and listed in each individual letter, but are redacted in the sample notice sent to the Maine Attorney General’s Office.
Recipients of the notification are now offered credit monitoring and identity restoration services through Equifax, which they can access using their unique code until February 29, 2024.
Sony’s most recent breach
Late last month, following allegations on hacking forums that Sony had been breached again and 3.14GB of data stolen from the company’s systems, the company responded by saying it was investigating the allegations.
The leaked data set held by at least two different threat actors contained details of the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more.
A Sony spokesperson shared the following statement with BleepingComputer, confirming a limited security breach:
Sony has been investigating recent public claims about a security incident at Sony. We are working with third-party forensic experts and have identified activity on a single server located in Japan that is used for internal testing for the Entertainment, Technology and Services (ET&S) business.
Sony has taken this server offline while the investigation continues. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony’s operations.
This confirms that Sony has suffered two security breaches in the last four months.