Sony has sent letters to nearly 6,800 former and current employees and their family members to notify them about a data breach that exposed personal information.
According to Bleeping Computer, Sony's confirmation comes after an investigation was launched with assistance from external cybersecurity experts before notifying law enforcement.
Sony confirmed that the company suffered two significant data breaches in the past four months. The first breach happened on May 28. However, it was only on June 2 that Sony discovered that an unauthorized group exploited a zero-day vulnerability in the MOVEit Transfer platform.
The zero-day or CVE-2023-34362 is a high-severity SQL injection flaw, which allows hackers to modify databases to make unauthorized access to sensitive data like credit card details, personal user information, and passwords.
The Clop ransomware gang leveraged this vulnerability in MOVEit software for large-scale cyberattacks that compromised numerous organizations. The Clop ransomware gang took credit for the hack, adding Sony Group to its list of victims in late June.
Sony Is a Victim of Data Breach
IT World Canada reported that the names and Social Security numbers of 6,791 individuals in the US were among the personal information illegally obtained by the hacking group.
Sony offered credit monitoring and identity restoration services to the affected individuals through Equifax, which they can access using their unique code until February 29, 2024.
Last month, Sony noted that it was investigating allegations of a cyberattack after several hackers claimed responsibility for the purported hack. Citing information on hacker forums, Bleeping Computer reported that 3.14 GB of data had been stolen from the company's systems.
Two different hacking groups claimed responsibility for this. Each shared a leaked dataset containing various platforms and information linked to Creators Cloud, SonarQube, incident response policies, Sony's certificates, a device emulator for license generation, and more. One of these groups even tried to sell the data for $2.5 million.
Sony noted that it had verified this illegal activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business. The company said it had already shut down this server while the investigation was ongoing.
A Sony spokesperson assured its customers and business partners that no data related to them was stored on the affected server or that any other Sony systems were affected. The spokesperson added that there was also no adverse impact on its operations.
Sony and Thousands of Others
Sony is among the approximately 2,342 organizations that had their millions of data stolen in MOVEit hacks.With millions of individuals confirmed to have been impacted, Emsisoft estimated that this puts the cost of the MOVEit incident at $10,329,020,625.
Last August, Reuters reported that 40 million have been affected so far by the data breaches in different organizations. Like Sony, many of these organizations have also contacted their affected customers and affiliates to notify them.
Cybersecurity experts believe that if an organization uses MOVEit, it should assume that its server has been hacked. In connection with the recent cyberattacks, the company behind "MOVEit," Progress Software, has tried to mitigate the problem by releasing patches and updates to provide enhanced security features.