The US Securities and Exchange Commission (SEC) is launching an investigation into the cyber vulnerability associated with Progress Software’s MOVEit transfer tool, which resulted in a significant data breach impacting over 2,000 organizations and approximately 60 million individuals.
Furthermore, this vulnerability, known as CVE-2023-34362, was exploited by the Russia-linked Cl0p ransomware group as a zero-day, enabling them to access data from users of the MOVEit Transfer managed file transfer (MFT) software. Notably, around 900 of the affected organizations are US schools, indirectly impacted through third-party services provider National Student Clearinghouse, which was using the MOVEit software at the time of the breach.
Progress Software has confirmed the initiation of the SEC’s own investigation in addition to inquiries launched by data privacy regulators, attorney generals, and a US law enforcement agency. The company received a subpoena from the SEC, signifying the early stages of a fact-finding inquiry. It is important to note that this investigation does not imply that Progress Software or any other party violated federal securities laws, and it doesn’t reflect negatively on any individuals, entities, or securities involved. Progress Software expressed its intention to fully cooperate with the SEC throughout the investigation.
Moreover, the SEC filing also reveals that individuals who claim to have been affected by the MOVEit breach have filed 58 class action lawsuits against Progress Software. Additionally, 23 customers and other entities have sent letters to the company, asserting the impact of the breach and their intent to seek indemnification.
Progress Software noted that for the three and nine months ended August 31, 2023, they incurred $1.0 million in costs related to the MOVEit vulnerability, accounting for insurance recoveries. The company acknowledges that government inquiries and investigations may lead to various outcomes, including adverse judgments, settlements, fines, penalties, or other resolutions, the specifics of which remain uncertain.
