Sony was attacked by two ransomware operators

On September 25, newcomer ransomware group RansomedVC claimed to have successfully compromised the computer systems of entertainment giant Sony.

Then, on October 4, news leaked that Sony had told current and former employees and their family members about another cybersecurity breach that exposed personal information. This was confirmed by a Data Breach Notification submitted in Maine.

It looks as if this is fall-out from the attack on Sony that was claimed by the Cl0p ransomware gang in June. This would mean that Sony can be chalked up as yet another victim of the MOVEit vulnerability.

A Sony spokesperson shared a statement with BleepingComputer, confirming a limited security breach:

“Sony has been investigating recent public claims of a security incident at Sony. We are working with third-party forensics experts and have identified activity on a single server located in Japan used for internal testing for the Entertainment, Technology and Services (ET&S) business. Sony has taken this server offline while the investigation is ongoing. There is currently no indication that customer or business partner data was stored on the affected server or that any other Sony systems were affected. There has been no adverse impact on Sony’s operations.”

While the FBI has warned of multiple ransomware attacks on the same victim, neither of these ransomware groups are on their list of ransomware variants that are used in these double attacks, so it is doubtful that this was the play here.

The disputed dataset contained details for the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more. The data stolen by Cl0p seems to contain personal information about former and current staff, including Social Security Numbers. According to the Data Breach Notification the total number of persons affected is 6791.

So it seems reasonable to assume that Sony suffered two separate breaches using different methods and stealing different datasets.