SEC is Investigating Progress Software in Wake of MOVEit Attacks
Progress Software is now adding an investigation by the U.S. Securities and Exchange Commission to its growing list of legal and financial headaches stemming from the massive hack of its MOVEit file transfer tool that has affected more than 2,500 organizations over the past five months.
In a regulatory filing with the SEC this week, Progressive executives wrote that the company received a subpoena from the agency on October 2 seeking documents and other information related to the flaw.
“As described in the cover letter accompanying the subpoena, at this stage, the SEC investigation is a fact-finding inquiry,” they wrote. “The investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security.”
They said Progress will cooperate fully with the SEC.
Thousands of Companies, Millions of People
The SEC investigation is a testament to the massive scale of the data breaches brought on by the MOVEit vulnerability, which was exploited by the Cl0p ransomware operation beginning in late May. According to cybersecurity firm Emsisoft, as of October 12, 2,547 organizations and more than 64.4 million individuals were affected by the flaw, which is being tracked as CVE-2023-34362.
Among the hardest hit organizations were Maximus, a U.S. government services company, where 11 million individuals had their data exposed, the Louisiana Office of Motor Vehicles (6 million), Teachers Insurance and Annuity Association of America (2.6 million), and Nuance Communications (1.2 million).
Sony earlier this month notified about 6,800 current and former employees that the company was a victim of the MOVEit vulnerability. The Cl0p group had added Sony to its list of victims in June, but it wasn’t until this month that Sony admitted it had been breached.
Organizations based in the United States account for 77.8% of the known victims, according to Emsisoft.
The vulnerability affected both MOVEit Transfer, which is the on-premises version of the tool, and MOVEit Cloud, a cloud-hosted version that is deployed both in the public cloud and – for a small group of customers – in dedicated instances hosted on Progress’ MOVEit Cloud platform. By exploiting the vulnerability, the attackers were able to gain unauthorized escalated privileges and access customers’ environments.
The executives wrote that they haven’t seen evidence of customer data being exfiltrated from the public MOVEit Cloud instances, but two of the companies on the dedicated cloud platform said attackers had gotten into their cloud environments.
Progress issued three patches for the bug between May 31 and June 15.
Lawsuits and Investigations
So far, it appears the financial hit on Progress has been minimal, with the company incurring $1 million in MOVEit zero-day vulnerability-related costs after received and expected insurance payouts of about $1.9 million.
However, that likely will change in the coming months. The Progress executives wrote that they expect the company “to incur investigation, legal and professional services expenses associated with the MOVEit Vulnerability in future periods. … While a loss from these matters is possible, we cannot reasonably estimate a range of possible losses at this time, particularly while the foregoing matters remain ongoing.”
So far, Progress has received formal letters from 23 customers and others saying they were affected by the vulnerability, some of whom said they intended to ask the company to pay them for the costs they incurred from the attacks. In addition, an insurer sent a letter putting Progress on notice that they were going to seek to have the company pay for its MOVEit-related expenses.
Also, the company said in its filing that there are 58 class-action lawsuits filed against Progress by people who say their data was stolen.
“We have also been cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general, as well as formal investigations from: a U.S. federal law enforcement agency [that isn’t the SEC] (as of the date of the filing of this report, the law enforcement investigation that we are cooperating with is not an enforcement action or formal governmental investigation of which we have been told that we are a target),” the executives wrote.
They also wrote that the company could take a financial blow depending on what customers and partners do in the wake of the MOVEit vulnerability, such as seek refunds, delay implementing Progress products or making payments, failing to pay the company, or stop using the products.
“In addition, in the ordinary course of business, some of our customers and partners may seek bankruptcy protection or other similar relief and fail to pay amounts due to us, or pay those amounts more slowly, either of which could adversely affect our operating results, financial position and cash flow,” the executives wrote.