Sony says it is investigating a claim by a ransomware group that says it has hacked the company’s systems and is now trying to sell the data it accessed.
The hack was reported by Cyber Security Connect, which said that a group calling itself Ransomed.vc claimed to have breached Sony’s systems and accessed an unknown quantity of data. “We have successfully compromissed [sic] all of Sony systems,” Ransomed.vc wrote on its leak sites. “We won’t ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE … WE ARE SELLING IT.”
The site said the hackers posted some “proof-of-hack data” but described it as “not particularly compelling,” and also said that the file tree for the alleged hack looks small, given the group’s claim that it had compromised “all of Sony’s systems.” A price for the hacked data isn’t posted, but Ransomed.vc did list a “post date” of September 28, which is presumably when it will release the data publicly if no buyers are found.
While the hackers say they’re not going to ransom the data, Ransomed.vc apparently does have a history of doing so, with a unique twist: Cybersecurity site Flashpoint said in August that Ransomed takes “a novel approach to extortion” by using the threat of the European Union’s General Data Protection Regulation (GDPR) rules to convince companies to pony up. By threatening to release data that exposes companies to potentially massive GDPR fines, the group may hope to convince them that paying a little now is better than paying a whole lot later.
“The group has disclosed ransom demands for its victims, which span from €50,000 EUR to €200,000 EUR,” Flashpoint explained. “For comparison, GDPR fines can climb into the millions and beyond—the highest ever was over €1 billion EUR. It is likely that Ransomed’s strategy is to set ransom amounts lower than the price of a fine for a data security violation, which may allow them to exploit this discrepancy in order to increase the chance of payment.”
While the extent of the hack is unknown, Sony told IGN that it is looking into the matter: “We are currently investigating the situation, and we have no further comment at this time.”
If the hackers’ claim is true, this would not be the first time Sony has suffered a data security breach: A 2011 hack of Sony Online Entertainment databases resulted in a massive theft of information belonging to SOE account holders, including names, addresses, telephone numbers, login information, and credit card and banking information.