PlayStation Confirms Data Breach Has Occurred in the US - News
by William D'Angelo , posted on 02 November 2023 / 9,220 Views
Sony Interactive Entertainment has confirmed a data breach has occurred in the US, according to Bleeping Computer.
About 6,800 current and former employees, and their family members have been notified on the cybersecurity breach that exposed personal information.
Sony says the breach involved the MOVEit Transfer platform and the hackers exploited a zero-day vulnerability, which is "a critical-severity SQL injection flaw that leads to remote code execution."
"On June 2, 2023, SIE discovered the unauthorized downloads, immediately took the platform offline and remediated the vulnerability," reads the notice from Sony Interactive Entertainment. "An investigation was then launched with assistance from external cybersecurity experts. We also notified law enforcement.
"Once SIE identified the downloaded files, we began a process to determine what types of personal information were affected and to whom it relates. While we worked quickly, this was a time-consuming process, and we wanted to provide you accurate information."
Sony Interactive Entertainment has increased the monitoring of its systems and is taking other steps to reduce the chances of this type of breach from occurring again in the future. The company said the attack did not impact any other systems.
Last month ransomware group Ransomed.vc claimed it had successfully breached Sony and was looking to sell the data they have stolen.
"We have successfully compromissed [sic] all of sony systems," the group claimed. "We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE. WE ARE SELLING IT."
Sony stated they "are currently investigating the situation, and we have no further comment at this time."
A life-long and avid gamer, William D'Angelo was first introduced to VGChartz in 2007. After years of supporting the site, he was brought on in 2010 as a junior analyst, working his way up to lead analyst in 2012 and taking over the hardware estimates in 2017. He has expanded his involvement in the gaming community by producing content on his own YouTube channel and Twitch channel. You can contact the author on Twitter @TrunksWD.
More Articles
RIP MOVEit I think recovering from this breach incident will be quite the challenge. SQL injection attacks were widely used from 2000 through 2010 but now it's mostly used on legacy software, Modern software design should prevent these by default unless you badly mess up or work from a legacy code base that hardly saw modernization.
Neither, it was as a result of their use of a 3rd party app called MOVEit which had a security flaw enabling SQL injection. Considering the scope of the data stolen my guess is that this software was used by HR and so hackers only had access to HR files that at some point had been transferred with / stored in MOVEit.
I would be tempted to say so too, but it can be really hard to know how secure the products you use are. Software might also appear secure on the surface, only to have significant vulnerabilities under the hood. I'm sure you can generally get a fairly good idea about how secure a piece of software is, but it's probably expensive, leading such investigations to be reserved for quite critical software only - which Sony's most likely cannot be claimed to be.
Just about every big corporation has had some sort of data breach , the fact is in this day and age many companies are running hundreds if not thousands of pieces of software featuring a mix of bespoke and generic software applications supporting a range of corporate needs from the complex to the banal and being delivered across a variety of systems and the larger and more complex these systems and subsystems grow the harder it is to keep on top of them.
especially when you factor in the amount of effort spent by all those government and organized crime lead university educated hackers on cracking the very systems they spent years learning about, so it becomes a complex version of whack a mole .
Exactly. Every piece of software has vulnerabilities, and it's a constant race to keep on top of the situation. Then there's also the question of what kinds of threats you need to protect against - for example, for most organizations, preparing against state actors is probably overkill.
I don't disagree with any of that. Still, Sony is responsible. If I give you my money, my data, or anything else, I gave it to you. If you transferred it to a third party, or relied on a third party to do something good with it, or whatever, that's a choice you made, not me. So, you bare the responsibility.
Absolutely, but at least it's not Sony's incompetence that led to this (or at least it doesn't seem that way). I think there are varying degrees of how much you can blame a party for getting hacked, and in this case, it doesn't seem to be much - but of course Sony is still responsible, it's just an easier situation than if this would be caused by their own incompetence.
Yep that's why MOVEit is dead IMO, or rather the parent company Progress I should have said.
They seems to have only few enterprises solutions which MOVEit was by and large their biggest (from what I could quickly gather).
The issue is MOVEit use cases are covered by tons of other solutions from their competitor and also their other service are about network monitoring to which i'm having a hard time believing there's lots of demands for after those breach.
So at the end of the day Progress is dead or will undergo subtiancial shrinking over the coming months no doubt about it.
Well, then it didn't impact PSN, which is what is what we wanted to hear.
