SEC Launches Investigation into Progress Software’s MOVEit Hack
In May 2023, a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution was mass exploited by the Clop ransomware group. Progress Software MOVEit disclosed the vulnerability on May 31, and deployed a patch the same day; however, the Clop ransomware group had already exploited the vulnerability and stole files from many of its customers.
The total number of affected customers has yet to be confirmed, but Emsisoft says that as of October 16, 2023, at least 2,551 organizations are known to have been affected and the data of more than 64 million individuals has been stolen. The education sector was the worst affected, accounting for around 41% of victims, followed by healthcare (19%), and finance/professional services (12%). Emsisoft estimated the total cost of the attack to be $10,637,147,400, based on average data breach costs calculated by IBM in its 2023 Cost of a Data Breach Report.
In a recent filing with the U.S. Securities and Exchange Commission (SEC), Progress Software reported $2.9 million in losses due to the attack up to the end of August 2023; however, it held $15 million in cyber insurance policies at the time of the attack and still has $10.1 million available. $1.9 million of the costs associated with the attack are being covered by its insurance policies, and it has only incurred direct costs of $1 million. Progress Software also confirmed that its insurance policies have also paid out $3 million for a December 2022 cyberattack, which has cost the company $4.2 million so far this year. Progress Software anticipates further investigation costs, professional services expenses, and litigation costs. The litigation costs could be considerable. Progress Software said it is aware of 58 separate class action lawsuits over the incident. Due to the similarities of the claims and the lawsuits stating the same facts, they have been centralized. The consolidated litigation has been assigned to U.S. District Court Judge, Allison D. Burroughs, in the District Court for the District of Massachusetts.
Burlington, MA-based Progress Software has also confirmed that it received an SEC subpoena on October 2, 2023, seeking documents related to the incident and information on the vulnerability that was exploited. “The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security,” explained Progress Software in its SEC filing. “Progress intends to cooperate fully with the SEC in its investigation.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Progress Software said its MOVEit products only account for around 4% of its revenue and the incident has had minimal impact on its business so far. The $1 million in costs incurred so far represent just 0.5% of the $175 million revenue it reported for Q3, 2023, and its revenue is up 6% on last year. While the impact of the attack appears to be limited at this stage, it is naturally too early to tell what impact the litigation will have. Progress Software said most of its impacted customers have been positive about the company’s response, although up to the end of August, Progress Software had received formal letters from 23 of its customers, some of which have indicated they will be attempting to seek restitution from the company.
The SEC probe may also have an adverse impact on its operations and could potentially open up the company to further governmental and regulatory probes. “Our financial liability arising from any of the foregoing [MOVEit exploits] will depend on many factors, including the extent to which governmental entities investigate the matter and limitations contained within our customer contracts; therefore, we are unable at this time to estimate the quantitative impact of any such liability with any reasonable degree of certainty,” said a spokesperson for the company.
