Sony Interactive Entertainment (Sony) has officially disclosed a critical cybersecurity breach, impacting current and former employees along with their families. Approximately 6,800 individuals received a data breach notification, detailing the breach that occurred due to an exploitation of a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer platform.

Key Details:

Timeline:

The intrusion took place on May 28, 2023, but Sony became aware after learning from MOVEit’s vendor, Progress Software, about the flaw on June 2, 2023. Immediate actions were taken: the platform was taken offline, the vulnerability was patched, and an extensive investigation was launched with external cybersecurity experts’ assistance.

Impact:

The breach was confined to the MOVEit Transfer platform, sparing other Sony systems. However, sensitive data of 6,791 individuals in the U.S. was compromised. Sony has meticulously determined the exposed details, shared privately with affected parties, and provided credit monitoring and identity restoration services through Equifax until February 29, 2024.

Subsequent Breach:

Sony faced another security incident involving a server in Japan. While no customer or business partner data was stored on the affected server, Sony is diligently investigating the situation with third-party forensics experts.

Response:

Sony has taken the affected server offline, emphasizing that there’s no adverse impact on its operations.

Sony continues to prioritize security measures and collaborate with experts to ensure the safety of its networks and stakeholders.