Sony Interactive Entertainment (SIE), the company behind the PlayStation brand, has confirmed that it suffered two security breaches that exposed the personal information of thousands of its current and former employees. The first breach occurred in May 2023, when hackers exploited a zero-day vulnerability in a file transfer service used by SIE. The second breach happened in September 2023, when another group of hackers accessed a server used for internal testing.
Hackers used a zero-day flaw to steal data from SIE
According to a letter sent by SIE to the affected employees, the first breach occurred on May 28, 2023, when hackers downloaded data from a server that contained personally identifiable information of US-based employees. The server was using MOVEit Transfer, a file transfer service developed by Progress Software. On May 31, 2023, Progress Software notified its clients, including SIE, about a high-severity SQL injection flaw in its platform that could lead to remote code execution. SIE said it immediately took the platform offline and fixed the vulnerability.
The hackers who claimed responsibility for this breach were part of a ransomware group called Cl0p, which had targeted hundreds of companies using the same vulnerability in MOVEit Transfer. Cl0p had threatened to reveal confidential information of its victims if they did not pay a ransom. In June 2023, Cl0p added Sony Group to its list of victims and leaked some files online. However, SIE did not make any public statement regarding this ransomware attack until October 2023.
Another breach exposed data from an internal testing server
In September 2023, SIE discovered another breach that affected a server located in Japan and used for internal testing for its Entertainment, Technology and Services business. The hackers who accessed this server acquired 3.14GB of data, which included data from the SonarQube platform, certificates, a license generator, Creators’ Cloud, and more. The hackers also leaked some of these files online.
SIE said it launched an investigation into this incident with the help of external cybersecurity experts and law enforcement agencies. It also said it took the server down and that this breach had no adverse impact on its operations.
SIE notified about 6,800 affected individuals
SIE said it contacted about 6,800 current and former employees who were affected by these breaches and offered them identity theft monitoring services. According to the official website of the Attorney General’s Office of the State of Maine in the United States, four of these individuals were residents of Maine.
SIE apologized for the inconvenience and distress caused by these incidents and said it was taking steps to enhance its security measures and prevent future attacks.
