On 3rd of October 2023, Sony Interactive Entertainment (SIE) has issued a warning to approximately 6,800 current and former employees including family members, notifying them that their personal data was compromised in a security incident, as revealed in a communication obtained by Bleeping Computer. While specific details regarding the stolen personal information were redacted, the company did confirm in a letter that the breach originated from a file transfer application named MOVEit. This marks the second reported attack on Sony's infrastructure within the past fortnight.
Attributed to a ransomware group known as CL0P, the attack was claimed on May 28th, with MOVEit's vendor, Progress Software, subsequently alerting Sony about the security vulnerability on May 31st. Sony promptly responded to the situation, stating in the communication to its employees, "On June 2, 2023, [we] detected the unauthorized downloads, immediately took the platform offline, and addressed the vulnerability." Sony has initiated a thorough investigation with the assistance of external cybersecurity experts and has also engaged law enforcement agencies in the matter.
Sony's official communication covering the data breach in October 2023
Sony was one of the initial prominent entities to be featured on the Cl0p leak website as a target of the MOVEit hack. This week, Sony officially communicated to the Maine attorney general that approximately 6,800 individuals were affected by the MOVEit breach.
The data breach notification template available on the Maine attorney general's official website does not provide specific details about the nature of the compromised data, but it does explicitly mention that it pertains to personal information. Furthermore, Sony has taken the proactive step of offering complimentary credit monitoring and identity restoration services to those affected, indicating the sensitive nature of the information that was compromised.
Cyber security lessons all businesses should learn from following Sony's data breach
Sony's latest security breach should serve as a wake-up call for businesses and individuals alike. Here are some key takeaways:
Prioritise Cybersecurity: Cybersecurity is not an afterthought but a fundamental aspect of business operations. Investing in robust security measures can save an organization from costly breaches.
Employee Training: Cybersecurity training for employees is crucial. Phishing attacks, often a precursor to breaches, can be thwarted with vigilant and informed staff.
Regular Updates and Patching: Keeping software and systems up-to-date is essential. Many breaches exploit known vulnerabilities that could have been prevented with timely updates.
Incident Response Plan: Having a well-defined incident response plan can minimize the damage caused by a breach and streamline recovery efforts.
Encryption and Data Protection: Encrypting sensitive data and implementing access controls can mitigate the impact of breaches by limiting unauthorized access to critical information.
According to Statista great majority of cyber security breaches are due to phishing emails directing users to fraudulent websites. This directly relates to the increasing need of introducing a structured cyber security training programme for your business. Cyber security training will equip your staff with the knowledge and skills needed to mitigate risks, enhance awareness, comply with regulations, protect their reputation, and ultimately save costs by preventing security breaches and the associated damages, making it an invaluable investment in the digital age.