October 12, 2023 at 01:12PM
The US Securities and Exchange Commission (SEC) has launched an investigation into Progress Software’s MOVEit transfer tool vulnerability, which exposed the data of over 2,000 organizations and 60 million individuals. The flaw, tracked as CVE-2023-34362, was exploited by the Cl0p ransomware group to steal data. Progress Software received a subpoena from the SEC, and the company confirmed its intention to cooperate fully with the investigation. 58 class action lawsuits have been filed against Progress Software, with additional letters claiming impact and intent to seek indemnification. The company expects to incur significant expenses related to the incident.
Key takeaways from the meeting notes:
1. The US Securities and Exchange Commission (SEC) has launched its own investigation into the vulnerability in Progress Software’s MOVEit transfer tool.
2. The vulnerability, tracked as CVE-2023-34362, was exploited by the Cl0p ransomware group to steal data from organizations using the MOVEit Transfer managed file transfer software.
3. Approximately 2,000 organizations and 60 million individuals were affected by the data breach, with 900 schools in the United States impacted indirectly through a third-party services provider.
4. Progress Software has received a subpoena from the SEC, requesting documents and information related to the vulnerability.
5. The SEC investigation is currently a fact-finding inquiry and does not imply any violation of federal securities laws.
6. Progress Software intends to fully cooperate with the SEC in its investigation.
7. The company is facing 58 class action lawsuits from individuals claiming to have been impacted by the incident.
8. 23 customers and entities have sent letters to the company, seeking indemnification.
9. Progress Software has incurred $4.2 million in costs related to the cyber incident and expects additional expenses associated with investigations, legal matters, and professional services.
10. The outcome of governmental inquiries and investigations could result in significant judgments, settlements, fines, penalties, or other resolutions, which are currently unpredictable.
Additional context:
– The vulnerability in the MOVEit transfer tool allowed the Russia-linked Cl0p ransomware group to carry out a zero-day attack on various organizations.
– Progress Software has been addressing security issues with its MOVEit product and has released security service packs to enhance its security measures.
– The company acknowledges that the SEC investigation and other inquiries could have material implications for Progress Software.