Sony Interactive Entertainment (SIE) LLC is the latest American organization to be victimized by a data breach caused by a MOVEit vulnerability. The breach has impacted nearly 7000 current and former employees or their family members.
The California-based division of Japanese giant Sony Group and developer of PlayStation video consoles and games and the latest American organization to publicly acknowledge being victimized by Progress Software’s MOVEit file transfer platform.
SIE has begun notifying almost 6,800 former employees and family members of current or former staff that their personal data was stolen from the company’s MOVEit system by a hacker at the end of May.
The data breach took place from May 28-May 30, 2023. The attacks were carried out by the Cl0p ransomware gang, a Russia-linked cybercrime cartel that took credit for exploiting a zero-day bug in MOVEit Transfer, a file-transferring software. The stolen data included “names and other personal identifiers combined with Social Security Numbers (SSNs).”
Sony said that it has taken steps to mitigate the impact of the breach. The company is also offering credit monitoring and identity theft protection services to affected customers. In a notice to victims, Sony further explained the scope of the data breach stating:
“On June 2, 2023, SIE discovered the unauthorized downloads, immediately took the platform offline and remediated the vulnerability. An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement.”
“Once SIE identified the downloaded files, we began a process to determine what types of personal information were affected and to whom it relates. While we worked quickly, this was a time-consuming process, and we wanted to provide you with accurate information.”
Sony Interactive Entertainment LLC (“SIE”)
As of today, researchers at Emsisoft estimate that 2,342 organizations around the world have publicly said data on tens of millions of customers, employees, or former employees was directly or indirectly (through their data processors) stolen in MOVEit hacks. That includes over 4 million people whose data was kept by the Colorado Department of Health Care Policy and Financing and 3.4 million mothers and children in Ontario whose data was kept by a registry of newborns.
Cybersecurity experts say that if your organization uses MOVEit, the IT department should assume its server has been hacked.
The MOVEit vulnerability is a serious threat to businesses that use the tool to transfer riles. One instance alone impacted over 900 schools in the United States this September, resulting in data breaches involving sensitive student information.