SEC decides against penalizing MOVEit software maker

The Securities and Exchange Commission (SEC) will not take enforcement action against the company behind MOVEit — a popular file transfer tool that was exploited by hackers last year to steal the information of millions of people.

Progress Software, the company behind MOVEit, said last year that it was facing investigations by dozens of domestic and foreign data privacy regulators, at least two state attorneys general, an unnamed U.S. federal law enforcement agency and the SEC for its handling of the global incident.

On Thursday, Progress said the SEC told the company it has concluded its fact-finding investigation into the MOVEit vulnerability and “does not intend to recommend an enforcement action against the company at this time.” 

“As previously disclosed, Progress received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability,” the company said. 

An SEC spokesperson told Recorded Future News that it does not comment “on the existence or nonexistence of a possible investigation.” 

Progress Software did not disclose the nature of the SEC investigation, but the agency’s investigative powers include the authority to look into how a company communicates information to investors. A judge recently ruled against the agency in its case involving SolarWinds, another tech firm embroiled in controversy over an exploited vulnerability. 

Cybersecurity firm Emsisoft estimates that 2,773 organizations were impacted by the attacks on MOVEit, and the records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

The incident caused international outrage as dozens of government agencies, Fortune 500 companies and more confirmed that troves of data had been stolen by hackers connected to the Clop ransomware gang. 

In an SEC filing in May, the company said it has spent about $4.2 million related to the MOVEit incident, much of which will be covered by its $15 million cyber insurance policy. 

In addition to law enforcement action, Progress is facing dozens of lawsuits from the companies affected. The company said it has received formal letters from 38 customers seeking indemnification. At least one insurance company is seeking payment to cover recovery expenses related to a MOVEit breach.

In total, the company “party to approximately 144 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers.”

One of the lawyers for a class action suit against Progress Software previously told Recorded Future News that the breach was a “cybersecurity disaster of staggering proportions.”

He noted that millions of “Social Security numbers, banking information and even the names of people’s children” were accessed by the hackers, who are estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.