This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Sony (MOVEit Transfer)

Summary

Sony confirmed in October 2023 that it suffered a data breach on 28 May 2023 when the Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit Transfer platform. The breach compromised personal information of 6,791 current and former employees in the United States. Sony discovered the breach on 2 June, immediately took the platform offline, and remediated the vulnerability. This was disclosed separately from another ransomware incident affecting Sony in September 2023.

What Happened

On 28 May 2023, an unauthorised actor exploited a zero-day vulnerability in the MOVEit Transfer platform to download Sony files stored on the platform. Progress Software, the vendor of MOVEit Transfer, announced the vulnerability on 31 May 2023, affecting Sony and thousands of other enterprises worldwide.

Sony discovered the unauthorised access on 2 June 2023 and immediately took the MOVEit Transfer platform offline and remediated the vulnerability. The Cl0p ransomware group took responsibility for the data breach, which was part of a global campaign exploiting the MOVEit vulnerability affecting hundreds of organisations.

Impact on Individuals

The breach compromised personal data of 6,791 current and former Sony employees, primarily based in the United States. The exposed information included names, addresses, and employment-related data.

While Sony publicly disclosed the breach in October 2023—several months after the May incident—the delay was partly due to the time required to investigate the full scope of the breach and identify all affected individuals. The breach did not expose customer data or PlayStation Network information, limiting the impact to employee records.

Organisational Response

Sony took immediate action upon discovering the breach on 2 June 2023, taking the MOVEit Transfer platform offline and remediating the vulnerability. The company conducted a thorough investigation to determine which employee records had been accessed.

Sony publicly confirmed the breach in October 2023 and began notifying affected employees. The company emphasised that its main systems remained secure and that the breach was limited to data stored on the third-party MOVEit Transfer platform.

This incident was separate from another Sony ransomware attack in September 2023, demonstrating the company faced multiple cybersecurity challenges during 2023.

Verification Source: View original statement