A week after an extortion group called Ransomed.vc claimed to have hacked into Sony’s systems and stolen 3.14GB of data, the company has admitted to a second security breach. This one occurred back in May and involved the personal data of nearly 6,791 current and former employees.
The older but previously unknown hack was reported yesterday by Bleeping Computer. A notice from Sony to employees said the hack occurred by way of an exploit in “Progress Software’s MOVEit Transfer platform.” The security breach occurred on May 28 before the exploit was fixed, leading the personal information of thousands of current and former employees at Sony Interactive Entertainment to be compromised.
The company is offering “complimentary Equifax complete Premier credit monitoring and identity restoration services” to those impacted. Equifax had to pay $575 million as part of a 2019 settlement with the Federal Trade Commission over its own data breach exposing the personal information of 147 million consumers.
Meanwhile, the more recent hack, first publicized last week by a group called Ransomed.vc, appears to have been real. While Sony said it was investigating the claims at the time, it has now told Bleeping Computer that a third-party forensics specialists helped it identify rogue activity on a “single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business.” That’s a separate part of the company from Sony’s gaming, music, and movie divisions.
“Sony has taken this server offline while the investigation is ongoing,” the company said in its new statement. “There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony’s operations.”
No information appears to have leaked from the most recent breach, although there has been some dispute over who exactly was responsible for it. While Ransomed.vc originally claimed responsibility and threatened to release the data unless Sony paid it $2.5 million, another user called “MajorNelson,” seemingly named after the now-retired Xbox hype-man, said the group was not involved. They then went ahead and leaked a 2.4 GB compressed archive that allegedly included actual Sony data, though no one has yet verified if that’s actually the case.
So far at least, neither hack appears to be anywhere near the scale of major security breaches at Sony in the past, including North Korea’s hack of its movie division and that time when PlayStation Network went down for over a month.
Correction 10/5/2023 3:41 p.m. ET: Bleeping Computer’s report was published on October 4, not October 5.