One year after a flurry of zero-day attacks targeted MOVEit customers, the legal liabilities for Progress Software, the company behind the file-transfer service, are still piling up.
Progress Software is party to at least 144 class-action lawsuits, which have been consolidated with a subrogation claim from an insurer in the U.S. District Court for the District of Massachusetts, the company said in a Monday filing with the Securities and Exchange Commission.
The growing multiplicity of legal actions accentuates the evolving follow-on impacts and expenses Progress could incur as a result of the attacks on its customers’ MOVEit environments over Memorial Day weekend last year.
By the end of 2023, the ransomware group Clop compromised more than 2,700 organizations and exposed more than 93 million personal records held in MOVEit environments.
The number of class-action lawsuits filed against Progress, as of May 31, increased from 127 at the end of the previous quarter, which ended Feb. 29. Progress reported 58 class-action lawsuits at the close of its fiscal year 2023, which ended Nov. 30.
The Massachusetts-based company has also received letters from 38 customers, up from 35 at the end of the previous quarter, some of which indicated they intend to seek indemnification.
While Progress braces for potential legal judgments, settlements and fines, costs linked to its ongoing response to the most significant cyberattack of 2023 are growing.
Expenses related to the MOVEit vulnerability grew from $1 million in Progress’ fiscal first quarter to $3 million in the most recently closed quarter. The incurred costs do not include $1.9 million in insurance recoveries the company recognized over the six-month period.
Government and regulatory inquiries
Progress is also grappling with several government and regulatory investigations. The SEC notified the company of a formal investigation in October, and subpoenas received from the attorneys general in the District of Columbia and New Jersey, remain ongoing.
“We continue to cooperate with regulators in a transparent manner because we’re confident that Progress acted appropriately and with the interests of our customers at the forefront in our response to the attack on their MOVEit environments,” Progress Software President and CEO Yogesh Gupta said on the company’s June 25 earnings call.
Inquiries from data privacy regulators in the United Kingdom, Australia and Spain were closed without action.
The company also received a preservation notice from the Federal Trade Commission in December, but has not received a request for information or communication indicating a formal investigation is underway.
Progress said it expects to incur additional investigation, legal and professional services expenses associated with the MOVEit vulnerability in future quarters.
Yet, with multiple lawsuits and investigations ongoing, the company said in its SEC filing “we cannot reasonably estimate a range of possible losses at this time.”
