SEC Probes Progress Software Over MOVEit Ransomware Attack

October 12, 2023

The U.S. Securities and Exchange Commission (SEC) has opened an investigation into the security vulnerability in Progress Software's MOVEit transfer tool. This vulnerability, designated as CVE-2023-34362, led to a significant data breach impacting more than 2,000 organizations and 60 million individuals. The flaw was exploited by the notorious Russia-linked Cl0p ransomware group to steal data from organizations using the MOVEit Transfer managed file transfer (MFT) software.

Notably, about 900 U.S. schools were indirectly affected through the third-party services provider National Student Clearinghouse, which was utilizing the MOVEit software during the time of the attack. Progress Software has confirmed in its latest Form 10-Q filing with the SEC that the commission has initiated its own investigation into the incident. This is in addition to the inquiries launched by data privacy regulators, attorney generals, and a U.S. law enforcement agency.

“On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit vulnerability,” Progress stated in the filing. The company emphasized that the SEC investigation is a fact-finding inquiry and does not imply any violation of federal securities laws or negative opinion about any person, entity, or security. Progress has expressed its intention to fully cooperate with the SEC in its investigation.

Furthermore, the filing revealed that 58 class action lawsuits have been filed against Progress by individuals claiming to have been affected by the MOVEit incident. Additionally, 23 customers and other entities have sent letters to the company, alleging impact and expressing intent to seek indemnification.

For the nine-month period ending August 31, 2023, Progress reported incurring $4.2 million of costs related to the cyber incident. The company also anticipates additional expenses related to investigation, legal, and professional services associated with the hack.

Progress Software also warned that governmental inquiries and investigations could lead to “adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict”.

Related News

• Sony Interactive Entertainment Data Breach: Personal Information of 6,800 Individuals Exposed
• Over 2,000 Entities Hit by Cl0p Ransomware Group Exploiting MOVEit Vulnerability
• Clop Ransomware Attack on BORN Ontario Child Registry Impacts 3.4 Million Individuals
• National Student Clearinghouse Data Breach Affects 900 US Schools
• Clop Ransomware Gang Targets Major North Carolina Hospitals

Latest News

• High-Severity curl Vulnerability Not as Threatening as Initially Feared
• Critical cURL Flaw Exposes Enterprise Systems to Potential Attacks
• CISA Identifies Five Newly Exploited Vulnerabilities in Popular Software
• Apple Rolls Out iOS/iPadOS 16.7.1 to Address Zero-Day Vulnerability
• Fortinet Addresses Two Critical Vulnerabilities in FortiSIEM and FortiWLM