Thousands of Individuals Affected by Sony Cybersecurity Breach Exposing Personal Information

Sony Interactive Entertainment (Sony) notified around 6,800 individuals, including current and former employees and their families, about a cybersecurity breach. The breach occurred due to an unauthorized party exploiting a zero-day vulnerability (CVE-2023-34362) in the MOVEit Transfer platform, leading to remote code execution and was used in large-scale attacks by the Clop ransomware gang.

The intrusion took place on May 28, and Sony discovered it on June 2, immediately taking the platform offline and initiating remediation efforts. An investigation with external cybersecurity experts and law enforcement assistance followed. Fortunately, the breach was limited to the specific platform and did not affect other Sony systems. Still, the sensitive information of 6,791 individuals in the U.S. was compromised. Sony offered affected parties credit monitoring and identity restoration services through Equifax, valid until February 29, 2024.

Sony recently responded to claims of another breach, confirming activity on a single server in Japan used for internal testing, with no indication of customer or business partner data stored on it or adverse impacts on Sony’s operations. This marks the second security breach in the past four months for Sony.