Thousands of Sony Employees Impacted By Data Breach – Sony has confirmed that it experienced not one, but two security breaches since the end of May. The initial breach, detected in June, was exploited by the Clop ransomware group through a zero-day vulnerability in the MOVEit Transfer platform, used for secure file transfers. Although Progress Software, the vendor of MOVEit, alerted Sony about the vulnerability on June 2, the compromise had already occurred on May 28.
A data breach notification, submitted to the Office of the Main Attorney General, revealed that 6,791 individuals, all of whom are current or former employees of Sony Interactive Entertainment in the US, had their personal information compromised. Sony has taken steps to inform each affected individual about the incident, detailing the nature of the breach and the specific personal and sensitive information that was taken.
In response to the breach, Sony is providing each affected person with 24 months of Equifax ID WatchDog or Complete Premier credit monitoring and identity restoration services. A recently emerged ransomware group called Ransomed.vc asserted that they had obtained “all” of Sony’s data, but the sample they provided was far from persuasive.
Sony has now confirmed this second breach did happen, with a spokesperson explaining: “Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business.”
“Sony has taken this server offline while the investigation is ongoing. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony’s operations.”
In contrast to the significant PlayStation Network breach of 2011, this recent compromise appears to be contained and not directly attributable to Sony’s actions. Nevertheless, it should prompt the company to reconsider its reliance on a secure file transfer service without implementing additional measures to safeguard its employees.