Progress Software facing dozens of class action lawsuits, SEC investigation following MOVEit incident

The company behind a popular file transfer tool is facing dozens of lawsuits and investigations by several U.S. agencies following the exploitation of a critical vulnerability in May.

Progress Software – the company that owns the MOVEit file transfer tool – reported its quarterly earnings this week and provided a detailed breakdown of the costs associated with the cybersecurity incident affecting MOVEit, as well as the lawsuits the company is now facing.

Hundreds of critical organizations across the globe reported widespread theft of data by Clop, a Russian-speaking ransomware gang with a proven track record of exploiting bugs in file transfer software.

According to regulatory filings this week, Progress Software says it has received formal letters from 23 MOVEit customers seeking indemnification, whereby the owners of the product would be liable for the financial costs that come with lawsuits. There is also an unnamed insurance company seeking the recovery of all expenses caused by the MOVEit vulnerability.

“And we are party to 58 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers,” it told the Securities and Exchange Commission, noting that last week a judicial panel ordered that the lawsuits should be combined and heard at a U.S. District Court in Massachusetts.

Security firm Emsisoft estimates that more than 62 million people and 2,000 organizations were affected by the MOVEit breaches. One of the lawyers for a class action suit against Progress Software previously told Recorded Future News that the breach was a “cybersecurity disaster of staggering proportions.”

He noted that millions of “Social Security numbers, banking information and even the names of people’s children” were accessed by the hackers, who are estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.

SEC inquiry

Progress Software also explained that it is facing investigations at the state, federal and international level.

“We have also been cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general, as well as formal investigations from: (i) a U.S. federal law enforcement agency… and (ii) the SEC (as further described hereafter),” it said. The federal law enforcement investigation, it clarified, is not “an enforcement action or formal governmental investigation” into the company at this point.

Ten days ago, the company says it received a subpoena from the SEC seeking documents and information relating to the MOVEit vulnerability. The SEC informed them it was “a fact-finding inquiry” and “does not mean that Progress or anyone else has violated federal securities laws.”

Progress Software says it plans to “cooperate fully with the SEC.”

When assessing the financial toll of the incident, Progress Software said the MOVEit Transfer product “represented less than 4%” of their revenue for the last nine months.

In total, the company spent $1 million dollars on costs related to the vulnerability after an insurance company covered $1.9 million of the bills incurred. It added they “expect to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods.”

The company declined to assess the business losses from the incident due to the limbo of the class action lawsuits, government investigations and more. It has a $15 million cyber insurance policy, of which $4.9 million was spent on the MOVEit vulnerability and another cyber incident in November 2022.

The company did not give an in-depth explanation for the November incident, only saying it detected “irregular activity on certain portions” of its network and hired cybersecurity experts to examine the incident. The outside experts cost $4.2 million, of which $3 million was covered by insurance.

Nearly six months on from the incident, the fallout has continued. Dozens of organizations continue to report breaches related to the vulnerability. Last week, Michigan-based Flagstar Bank sent breach notification letters to 837,390 people notifying them that their Social Security numbers and other personal information were stolen through the MOVEit vulnerability.

Emsisoft threat analyst Brett Callow, who has tracked the situation since it was first unveiled in May, said given the number of organizations impacted and the type of data that was potentially accessed, this is “probably one of the most significant cybersecurity incidents to date.”

“Cl0p and likely other threat actors are now in possession of data which can be used as a basis for other attacks on other organizations — phishing and BEC [business email compromise], for example — as well as identity fraud against individuals,” he said. “The extent to which that happens remains to be seen.