The U.S. Securities and Exchange Commission (SEC) has opened an investigation into the security vulnerability in Progress Software's MOVEit transfer tool. This vulnerability, designated as CVE-2023-34362, led to a significant data breach impacting more than 2,000 organizations and 60 million individuals. The flaw was exploited by the notorious Russia-linked Cl0p ransomware group to steal data from organizations using the MOVEit Transfer managed file transfer (MFT) software.
Notably, about 900 U.S. schools were indirectly affected through the third-party services provider National Student Clearinghouse, which was utilizing the MOVEit software during the time of the attack. Progress Software has confirmed in its latest Form 10-Q filing with the SEC that the commission has initiated its own investigation into the incident. This is in addition to the inquiries launched by data privacy regulators, attorney generals, and a U.S. law enforcement agency.
“On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit vulnerability,” Progress stated in the filing. The company emphasized that the SEC investigation is a fact-finding inquiry and does not imply any violation of federal securities laws or negative opinion about any person, entity, or security. Progress has expressed its intention to fully cooperate with the SEC in its investigation.
Furthermore, the filing revealed that 58 class action lawsuits have been filed against Progress by individuals claiming to have been affected by the MOVEit incident. Additionally, 23 customers and other entities have sent letters to the company, alleging impact and expressing intent to seek indemnification.
For the nine-month period ending August 31, 2023, Progress reported incurring $4.2 million of costs related to the cyber incident. The company also anticipates additional expenses related to investigation, legal, and professional services associated with the hack.
Progress Software also warned that governmental inquiries and investigations could lead to “adverse judgements, settlements, fines, penalties, or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict”.