Progress Software, a leading software company, announced that it has received a subpoena from the Securities and Exchange Commission (SEC) regarding a vulnerability in its file transfer software, MOVEit. This vulnerability was exploited in a massive attack that started in May. The SEC’s investigation is currently classified as a “fact-finding inquiry,” and there is no indication that Progress Software has violated any federal securities laws. The company has stated its intention to fully cooperate with the SEC.
According to a report by cybersecurity software company Emsisoft, the breach of MOVEit resulted in the exposure of information belonging to at least 64 million individuals across 2,547 affiliated organizations. Among the affected organizations are the Louisiana Office of Motor Vehicles and the Colorado Department of Health Care Policy and Financing. Sony also confirmed that its employee data was compromised in the exploit. Furthermore, Flagstar Bank, a financial services provider based in Michigan, sent a notice to its customers informing them that their records had been stolen. As a result, Flagstar Bank is offering free identity monitoring services for two years to affected customers.
The perpetrators behind this attack are known as the CL0P ransomware gang. They are credited with pioneering the practice of double-extortion, which involves encrypting the target’s data and threatening to leak it unless a ransom is paid. The group has since made data stolen from the MOVEit hack available for leak. Some of the affected companies include Kirkland and TD Ameritrade. In response, the FBI has offered a reward of up to $10 million for information that could link CL0P to any foreign government.
The full extent of the damage caused by this attack is still unknown. However, some of the affected customers have started seeking restitution for the breach. Progress Software revealed in its regulatory filing that it is facing 58 class action lawsuits as a result. While some of these lawsuits may be consolidated, they still pose the risk of significant civil penalties for the company.
It is important to note that data breaches like the one involving MOVEit highlight the increasing threat that cyberattacks pose to organizations and individuals. The financial, reputational, and legal consequences of such incidents can be severe. As a result, businesses must take proactive measures to ensure the security of their systems and data. This includes regularly updating and patching software vulnerabilities, implementing strong security protocols, and training employees on cybersecurity best practices.
In conclusion, Progress Software’s disclosure of the SEC subpoena regarding the vulnerability in its MOVEit software sheds light on the significant impact of the exploit that occurred last May. The investigation is ongoing, and Progress Software has pledged its cooperation. Meanwhile, the affected organizations are grappling with the aftermath of the breach and pursuing legal action for restitution. This incident serves as a reminder of the critical importance of prioritizing cybersecurity measures to mitigate the risks posed by cyberattacks.
