Sony Interactive Entertainment (SIE) has informed approximately 6,800 individuals, including current and former employees and their family members, about a data breach that exposed their personal information. The breach was a result of a zero-day vulnerability, CVE-2023-34362, in the MOVEit Transfer platform, which is widely used by companies for secure file transfers. The Clop ransomware group, also known as Lace Tempest, is suspected to be behind the attack.
This zero-day vulnerability is a SQL injection vulnerability that can be exploited by an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. Depending on the database engine used, an attacker may be able to infer information about the database's structure and content, and execute SQL statements that can alter or delete database elements. This vulnerability affects all versions of MOVEit Transfer, but not the cloud version of the product. The company has shared Indicators of Compromise (IoCs) for this attack and urges customers who notice any of these indicators to contact its security and IT teams immediately.
In late June, Sony was added to the Clop ransomware gang's list of victims on its leak site. Sony learned of the unauthorized downloads on June 2, 2023, took the platform offline, and remedied the vulnerability. An investigation was launched with the help of external cybersecurity experts. SIE has increased the monitoring of its systems in response to the incident and has stated that they are not aware of the stolen personal information being published or misused. The company is also offering complimentary Equifax Complete Premier credit monitoring and identity restoration services to those affected.
In September, Sony announced it was investigating allegations of a data breach after the RansomedVC extortion group claimed to have hacked the company and added it to its Tor leak site. The group published some files as proof of the hack, but it is unclear if all the company's systems were compromised. The ransomware group RansomedVC claimed to have stolen 260 GB of data from Sony's networks and is attempting to sell the stolen data for $2.5 million. Another threat actor, known online as 'MajorNelson', also claimed responsibility for the attack and accused RansomVC of lying. MajorNelson leaked a compressed archive of 2.4 GB in size, which contains credentials for internal systems. As of now, it cannot be ruled out that Sony has suffered more than one data breach since June.