Cyber Incident Victim: Sony

On or around May 28, 2023, Sony Interactive Entertainment LLC became a victim of a significant cybersecurity incident. The attack was part of a broader campaign orchestrated by the ransomware gang known as Cl0p, which was actively exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. This vulnerability, first disclosed by Progress Software on May 31, 2023, provided the threat actors with a method to infiltrate the systems of numerous organizations. The Cl0p group publicly claimed responsibility for the attack on Sony, listing the Japanese electronics manufacturer on its dark web blog. The group also named other major corporations, including the Big Four accountancy firms EY and PwC, as victims. For PwC, Cl0p specifically claimed to have exfiltrated 120GB of data, threatening to leak it if their ransom demands were not met. The group asserted that its motivations were purely financial, explicitly denying any interest in government data and claiming to delete such information if acquired, stating they only targeted private companies for monetary gain.

The breach at Sony was officially discovered on June 2, 2023. An investigation determined that the unauthorized access to Sony's external systems occurred over a three-day period, from May 28, 2023, to May 30, 2023. The incident was classified as an external system breach, or hacking. The attackers successfully acquired sensitive personal information. The specific data types compromised included individuals' names or other personal identifiers in combination with their Social Security Numbers. The total number of persons affected by the breach was 6,791, which included four residents of the state of Maine.

In response to the incident, Sony Interactive Entertainment LLC engaged external legal counsel from the firm Orrick, Herrington & Sutcliffe LLP to manage the breach notification process. The company elected to provide identity theft protection services to the affected individuals. These services were offered for a duration of 24 months and were provided through Equifax ID WatchDog or Complete Premier. The offering included credit monitoring and identity restoration services to help mitigate the potential risks of identity theft arising from the exposure of Social Security Numbers. The method of notification to consumers was electronic. The notifications were dispatched to affected individuals on October 3, 2023.

The Cl0p ransomware group's campaign leveraging the MOVEit vulnerability was extensive, with the group claiming a total of 95 victims. This list included 12 public sector bodies in the United States and eight in other countries. Despite the widespread nature of the attacks, Cl0p denied possessing data from several high-profile victims linked to a compromise at the payroll provider Zellis, including British Airways, the BBC, and Boots. The group claimed it did not have that data and had informed Zellis accordingly. This denial, coupled with the fact that data from these companies was not leaked by the stated deadline, raised the possibility that other threat actors were also exploiting the same MOVEit Transfer vulnerability, though no other group publicly claimed responsibility. The incident involving Sony and the other named organizations represented a significant and widespread exploitation of a critical vulnerability in a commonly used enterprise file transfer solution, impacting a substantial number of entities across both the public and private sectors.