August 7, 2024 at 06:42PM
Progress Software’s handling of a MOVEit Transfer zero-day flaw, leading to data exposure of 95 million people, was investigated by the SEC. However, in a recent filing, the SEC’s Division of Enforcement will not recommend any enforcement action regarding the security incident. Progress Software still faces numerous class-action lawsuits despite the SEC decision.
From the meeting notes, it is clear that the SEC has concluded its investigation into Progress Software’s handling of the MOVEit Transfer zero-day vulnerability and widespread data theft attacks. Progress Software has filed a new FORM 8-K with the SEC stating that the SEC’s Division of Enforcement will not recommend any enforcement action regarding the security incident at this time. The company has been notified by the SEC that it does not intend to recommend an enforcement action against them. Progress Software had received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry relating to the MOVEit vulnerability.
The SEC has been examining Progress Software’s response to the widespread data theft attacks facilitated through the zero-day vulnerability in the MOVEit Transfer software, as exploited by the Clop ransomware gang. Over 2,770 companies and 95 million people were affected by the attacks, which included government agencies, financial firms, healthcare organizations, airlines, and educational institutions. Despite the SEC’s decision not to recommend an enforcement action, Progress Software is still contending with multiple class-action lawsuits in the Massachusetts federal courts.