MOVEit liabilities mount for Progress Software

Progress Software has endured minimal financial impacts from the MOVEit zero-day vulnerability identified in May, but lawsuits and government investigations are mounting.

The Securities and Exchange Commission, Federal Trade Commission, domestic and foreign data privacy regulators, and several state attorneys general are looking into the MOVEit zero-day vulnerability and resulting exploits, the company said in an annual report filed Friday with the SEC.

The enterprise software company is also “party to approximately 118 class-action lawsuits filed by individuals who claim to have been impacted by exfiltration of data from the environments of our MOVEit Transfer customers,” the company said.

The scope of potential fines and penalties awaiting Progress in the wake of widespread damage caused by the MOVEit exploits could change the dynamics of the company’s response and business outlook.

MOVEit zero-day exploits directly compromised at least 100 customers, but the Clop ransomware group behind the attacks used that access to ultimately steal data from at least 2,700 organizations, exposing more than 93 million personal records.

The MOVEit vulnerability impacted millions of individuals and thousands of organizations but the file-transfer service isn’t a major revenue driver for Progress. MOVEit represented less than 4% of Progress’ fiscal year 2023 revenue.

Until this point, insurance has largely covered the costs stemming from the MOVEit zero day.

Progress incurred $1.5 million in costs related to the MOVEit vulnerability, not including $3.7 million in insurance recoveries, during its fiscal year 2023 ending Nov. 30. The company has $8.8 million remaining in available cybersecurity insurance coverage.

Total annual cyber incident and vulnerability response expenses amounted to almost $6.2 million, accounting for less than 1% of Progress’ fiscal 2023 revenue of $694 million, which was up 15% year over year.

Investigations afoot

While direct financial costs attributable to the MOVEit zero-day vulnerability remain limited, the company warned investors of future potential losses arising from legal claims, fines or penalties.

The FTC and SEC have charged and levied orders against companies over poor security practices that led to downstream compromises and the theft of personal data. The SEC charged SolarWinds and CISO Tim Brown in October with fraud and internal control failures leading to the Sunburst attack discovered in December 2020.

Progress said it is “currently unable to develop an estimate of the losses or range of losses incurred (if any),” and the company has yet to record a loss contingency or accrued liability for the MOVEit vulnerability.

“The amount, scope and timing of which could be material, but which the company is currently unable to predict,” the company said in the SEC filing.

Progress outlined three formal government investigations underway:

The SEC issued a subpoena to Progress as part of its formal inquiry into the matter on Oct. 2.
The FTC sent the company a preservation notice on Dec. 21, but the agency has yet to request information or notify the company of a formal FTC investigation, Progress said in its annual report. The FTC letter requires Progress to preserve any data relevant to the inquiry.
The Office of the Attorney General for the District of Columbia opened an investigation into the MOVEit vulnerability, which Progress was informed of via subpoena on Jan. 18, the company said.

Progress is confronting extensive legal challenges, including a subrogation claim filed by an insurance company seeking recovery for all expenses connected to the MOVEit vulnerability and formal letters from 31 customers, some of which indicated plans to seek indemnification.