Sony Confirms Data Breach After MOVEit Tool Compromise

Sony Interactive Entertainment has written to current and former members of staff to confirm a “cybersecurity event.”

Bleeping Computer obtained a copy of the notification letter sent out on Tuesday to current and former employees and their family members about a cybersecurity breach that exposed personal information.

The public confirmation from Sony has been a long time coming, and stems back to the compromise in May of a zero-day vulnerability in the MOVEit transfer tool from Progress Software, which is used by businesses to securely transfer sensitive data.

Clop ransomware

That MOVEit breach came to light in early June after it emerged that US government agencies, Ofcom, and other victims including British Airways, BBC, and Boots had been compromised.

The Clop (also written cl0p) ransomware extortion gang (based in Russia and Russian speaking) began naming its victims in June.

Sony had been added to Clop ransomware’s victim list in late June, but the firm never publicly confirmed the compromise until now.

Sony company sent the data breach notification to about 6,800 individuals, confirming that the intrusion occurred VIA the MOVEit Transfer platform.

According to the data breach notification obtained by Bleeping Computer, the compromise happened on May 28, three days before Sony learned from Progress Software about the flaw.

“On June 2, 2023, [we] discovered the unauthorized downloads, immediately took the platform offline, and remediated the vulnerability,” reads the notice.

“An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement,” Sony said in its data breach notification letter.

Sony said the incident was limited to the particular software platform and had no impact on any of its other systems.

Still, sensitive information belonging to 6,791 people in the US was compromised, Bleeping Computer noted.

Victims are being offered credit monitoring and identity restoration services through Equifax.

Ransomed.vc claim

It should be noted that this Clop breach, is the second breach of Sony data in the past couple of months.

In late September a lesser known hacking group had claimed on the dark web that it had breached ‘all Sony systems’ and would sell the stolen data – amid media reports Sony was refusing to pay a ransom.

That hacking claim came from a group called Ransomed.vc, which seems to be a ransomware operator and a ransomware-as-a-service organisation that is based in Russia and Ukraine.

They allegedly stole 3.14 GB of data from Sony’s systems. Sony said it was investigating the claims.

Sony is no stranger to cybersecurity incidents. In November 2014 Sony Pictures was famously hit by a devastating attack by North Korean hackers, in retaliation for the film “The Interview” – a Seth Rogen comedy about a plot to kill to the leader of North Korea.

That 2014 hack was so devastating it exposed the personal details of some Hollywood movie stars, as well other highly confidential data.

Prior to that, Sony’s most serious hack had been in 2011 that saw some 77 million registered accounts compromised and online features totally inoperable. That attack on the Playstation Network took it offline for a week.

Smash and grab

A number of cybersecurity specialists got in touch offering their insights into the MOVEit Sony breach.

“I don’t think we have seen the end of MOVEit disclosures yet at all, nor will we any time soon,” said Martin Kraemer, security awareness advocate at KnowBe4.

“This will be a gift that keeps on giving, as attackers – like the Clop gang – seized the opportunity to smash and grab as much as possible, as quickly as possible. They will keep sifting through their plunder and keep releasing information on the dark web as suits their goals,” said Kraemer.

“The Clop gang is known to attack supply chains as has happened with MOVEit,” Kraemer added. “The incident serves as a timely reminder to keep close tabs on all software (and hardware) supply chains. With the introduction of new regulations, e.g., NIS-2 in Europe, companies must strive to secure their supply chains. With NIS-2 there even is an element of personal liability of executives for cybersecurity incidents. It is past time organisations took action.”

Clear plan

Meanwhile Darren Guccione, CEO and co-founder of password management specialist Keeper Security, said Sony’s disclosure should serve as a wake up call, as cyber teams continue to address the fallout from the MOVEit compromise.

“All organisations should take a proactive approach to regularly update software and immediately patch vulnerabilities that are being actively exploited in the wild,” said Guccione. “Organisations must ensure they have a patch deployment process defined and written down, with emergency levers for critical vulnerabilities. When organisations have a clear plan, their teams can execute it accordingly.”

“There are proactive steps individuals impacted by the breach can take to limit the damage such as changing login info for their compromised accounts, utilising a dark web monitoring service to check for leaked credentials, monitoring or freezing their credit and practising good cyber hygiene,” said Guccione.

“By using strong and unique passwords, enabling MFA wherever possible, updating software, and always thinking before you click, individuals can greatly increase their personal cybersecurity,” Guccione added. “A password manager can generate strong and unique passwords for each account, securely store them and integrate MFA codes to strengthen and simplify credential management across every website, application and system.”

Third party risk

Lastly Erfan Shadabi, cybersecurity expert at comforte AG noted that the MOVEit vulnerability exploited in this breach underscores the reality that security vulnerabilities can originate not only from internal lapses but also from third-party software or services integrated into an organisation’s infrastructure.

“It’s crucial for organisations to recognise that their security posture extends beyond their immediate network and includes any third-party services or solutions they rely on,” said Shadabi.

“To mitigate the risks associated with data breaches and vulnerabilities in third-party software like MOVEit, organisations must adopt a data-centric security approach. Tokenisation is one such strategy that merits consideration,” Shadabi said.