On October 3, 2023, Sony Interactive Entertainment (SIE) disclosed a data breach stemming from an exploit in Progress Software’s MOVEit Transfer platform, a third-party vendor tool used by the company. The incident, which occurred on May 28, 2023, involved unauthorized downloads of files containing personal information of former employees and their family members. While the exact scope of the breach including the number of affected individuals and the specific types of compromised data remains undisclosed, the exposure primarily targeted internal employee records.The breach was part of a broader zero-day vulnerability campaign exploiting MOVEit Transfer, impacting multiple organizations globally. SIE confirmed that the incident did not affect its gaming services, customer data, or business operations, but the exposure of former employees' and dependents' personal details such as names, addresses, or potentially sensitive identifiers poses risks of identity theft, phishing, or fraud. The company stated it is notifying impacted individuals and offering support measures, though the delayed disclosure (nearly five months after the breach) raised concerns about transparency and incident response protocols.
TPRM report: https://www.rankiteo.com/company/sony-interactive-entertainment-llc
"id": "son033090625",
"linkid": "sony-interactive-entertainment-llc",
"type": "Breach",
"date": "5/2023",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Unknown (former employees and '
'their family members)',
'industry': 'Gaming/Entertainment',
'location': 'Global (HQ in San Mateo, California, USA)',
'name': 'Sony Interactive Entertainment (SIE)',
'type': 'Corporation'},
{'industry': 'Technology',
'location': 'Global (HQ in Bedford, Massachusetts, '
'USA)',
'name': 'Progress Software (MOVEit Transfer vendor)',
'type': 'Software Vendor'}],
'attack_vector': 'Exploitation of third-party vendor vulnerability (MOVEit '
'Transfer)',
'data_breach': {'data_exfiltration': 'Yes (unauthorized downloads)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personal information of '
'employees and family members)',
'type_of_data_compromised': 'Personal information'},
'date_detected': '2023-10-03',
'date_publicly_disclosed': '2023-10-03',
'description': 'On October 3, 2023, Sony Interactive Entertainment (SIE) '
'reported a data breach involving unauthorized downloads of '
"files from its vendor Progress Software's MOVEit Transfer "
'platform. The breach occurred on May 28, 2023, and affected '
'personal information of former employees and their family '
'members, although the exact number of individuals affected is '
'unknown.',
'impact': {'data_compromised': 'Personal information of former employees and '
'their family members',
'identity_theft_risk': 'Potential (personal information exposed)',
'systems_affected': ["Progress Software's MOVEit Transfer "
'platform']},
'initial_access_broker': {'entry_point': 'MOVEit Transfer vulnerability',
'high_value_targets': 'Personal data of former '
'employees and family '
'members'},
'investigation_status': 'Disclosed; details limited',
'post_incident_analysis': {'root_causes': 'Exploitation of third-party vendor '
'(MOVEit Transfer) vulnerability'},
'references': [{'date_accessed': '2023-10-03',
'source': 'Sony Interactive Entertainment disclosure'}],
'response': {'communication_strategy': 'Public disclosure on October 3, 2023'},
'title': 'Sony Interactive Entertainment Data Breach via MOVEit Transfer '
'Vulnerability',
'type': 'Data Breach',
'vulnerability_exploited': 'MOVEit Transfer platform vulnerability (likely '
'CVE-2023-34362)'}