Sony has officially confirmed a significant data breach involving sensitive information belonging to both current and former employees. In a breach notification letter sent to the affected individuals, Sony disclosed that external forces had successfully exploited a vulnerability in MOVEit managed file transfer software to gain unauthorized access to personal data.
According to the letter, the breach took place on May 28, shortly before Progress, the company responsible for MOVEit, began notifying its clients of a high-severity flaw within the software.
Swift Response and Investigation
Sony promptly detected the unauthorized downloads on June 2, 2023, and took immediate action by disabling the platform and addressing the vulnerability. An investigation was initiated, with external cybersecurity experts aiding in the process. Sony also informed law enforcement agencies about the breach.
While Sony emphasized that the breach was contained within the software platform and did not extend to its wider network, sensitive data from 6,791 individuals in the United States fell into the hands of a financially motivated Russian ransomware actor known as Cl0p.
In a concerning turn of events, Cl0p wasted no time and included Sony on its data leak site, offering the stolen information for sale. It appears that Sony opted not to engage in negotiations or meet the ransom demand. The dark web advertisement posted by a threat actor named Ransomed.vc included a small sample of the data, featuring screenshots of an internal login page, an internal PowerPoint presentation, and some Java files. The advertisement claimed that “all of Sony systems” had been compromised.
The breach involving MOVEit MFT is fast becoming one of the most significant cybersecurity incidents, alongside notorious cases like Log4j and GoAnywhere. MOVEit is a managed file transfer service commonly used by organizations to securely share sensitive information. This tool is employed by a wide range of entities, from small and medium-sized businesses to large enterprises. Cl0p’s intrusion was made possible through a critical-severity SQL injection flaw known as CVE-2023-34362, allowing them to execute code remotely on vulnerable endpoints.
The implications of this breach are far-reaching, and it serves as a stark reminder of the importance of safeguarding sensitive data in an ever-evolving threat landscape. Sony, like many other organizations, now faces the arduous task of mitigating the damage and enhancing security measures to prevent future breaches.