Breach stems from exposed vulnerability with IT vendor
About 6,800 individuals connected to Sony Interactive Entertainment (SIE) had their personal information compromised after a data breach early this year hit one of the organisation's IT vendors.
A total of 6,791 individuals were affected, including current and former employees, as well as their family members, according to the notification letter by Sony.
The letter informed the affected individuals of the compromised personal information, which the Office of the Maine Attorney General censored when it published the notification last week.
Sony said it was not aware if the compromised personal information has been published or misused elsewhere, as per the letter.
Events of the breach
According to Sony, the cybersecurity event was related to one of its IT vendors, Progress Software, and its MOVEit Transfer platform.
Progress Software said on May 31, 2023, that it found vulnerability in the said platform, which is used by Sony and thousands of other enterprises worldwide.
Prior to the announcement, however, an authorised actor used this vulnerability on May 28 to download Sony's files that were stored in the MOVEit platform.
Sony discovered the unauthorised downloads on June 2, and immediately took the platform offline and remediated the vulnerability.
"An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement," Sony said in the letter.
"In addition to immediately remediating the vulnerability, SIE has increased the monitoring of its systems and is taking other steps to reduce the risk of this type of cyber event occurring in the future."
The Verge reported that ransomware group known as Cl0p took responsibility for this data breach.
Sony's post-breach actions
According to Sony, they launched a "time-consuming process" that determined what personal information were affected and to whom it related after they identified the downloaded files.
Affected employees have been offered a complimentary Equifax Complete Premier credit monitoring and identity restoration services, according to Sony.
It also urged affected individuals to monitor potential unauthorised transactions.
"It is always a good idea to remain vigilant against threats of identity theft or fraud and to review and monitor your account statements and credit history for any signs of unauthorised transactions or activity regularly," Sony said.