System warning sign showing Sony MOVEit data breach

Sony Confirms MOVEit Data Breach Leaking Personal Information for Thousands

Sony Interactive Entertainment has confirmed a MOVEit data breach that leaked the personal information of current and former employees and their family members.

“We want to provide you with information about a cybersecurity event related to one of our IT vendors, Progress Software, that involved some of your personal information,” the company told its customers.

The Clop ransomware gang that exploited the SQL injection vulnerability CVE-2023-34362 in the MOVEit file transfer platform listed Sony as a victim in June 2023, although the company did not respond then.

Sony MOVEit data breach leaked personal information

According to incident notification letters sent to victims, the MOVEit data breach occurred before the zero-day vulnerability became public knowledge.

“On May 28, 2023, before Progress Software announced the vulnerability and we became aware of it, an unauthorized actor used the vulnerability to download some SIE files stored on our MOVEit platform,” Sony said.

The New York City-based North American operation discovered the MOVEit data breach within a week, deactivated the system, and applied security fixes.

“On June 2, 2023, SIE discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability,” the company said. “An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement.”

Sony said the MOVEit data breach was limited to the file transfer system in the United States and did not compromise other internal systems.

The tech and entertainment behemoth notified 6,791 victims and filed a regulatory filing with the Office of the Maine Attorney General. The filing disclosed that Sony’s MOVEit data breach leaked victims’ names or other personal identifiers combined with Social Security Numbers (SSNs).

Although Sony was unaware of any publication or misuse of the stolen information, victims will receive credit monitoring and identity restoration services with Equifax. The company also increased system monitoring to reduce the risk of a similar cyber attack in the future.

In September 2023, Ransomed.vc claimed they breached “all of Sony systems” and exfiltrated 260 GB of data, adding that it “won’t ransom” Sony as the “DATA IS FOR SALE.”

Sony investigated the incident and determined that the data breach affected a single server located in Japan used for internal testing. However, the compromised system did not store customer or business partner data.

In 2014, the digital entertainment company was at the center of a major international hacking incident involving North Korean state-sponsored threat actors. The breach exposed Hollywood celebrities’ extensive personal information, leaked unreleased movies and TV shows, and escalated tensions between the United States and North Korea.

In 2011, Sony suffered a massive cyber attack on its gaming platforms, impacting 77 million individuals and forcing the company to pay US residents $15m in compensation. Subsequently, impacted individuals received free premium subscriptions and in-game items.

Continued impact of MOVEit exploit

Sony is among thousands of organizations impacted by the MOVEit data breach. Threat intelligence firm Emsisoft states that at least 2,544 organizations globally, representing over 64,467,518 victims, have been impacted by the MOVEit hack.

Describing the MOVEit exploit as a “gift that keeps on giving,” Dr. Martin J. Kraemer, a security awareness advocate at KnowBe4, predicted more data exposures stemming from the MOVEit security vulnerability.

“They will keep sifting through their plunder and keep releasing information on the dark web as suits their goals,” Dr. Kraemer said.