Skip to main content
close search
site logo

Progress Software says SEC declines to pursue action related to MOVEit exploitation spree

The decision comes just weeks after a federal court dismissed most of the SEC’s civil fraud case against SolarWinds.

Published Aug. 8, 2024
David Jones's headshot
Reporter
Guard stands in front of Securities and Exchange Commission building.
A guard stands outside the U.S. Securities and Exchange Commission (SEC) November 17, 2003 in Washington, DC. The SEC notified Progress Software of a formal investigation in October. Brendan Smialowski via Getty Images

Progress Software said the Securities and Exchange Commission does not currently intend to recommend any enforcement action against it following an investigation into the MOVEit file-transfer service vulnerability, the company said in a disclosure with the agency.

The SEC subpoenaed Progress last October as part of a fact-finding probe into the company’s handling of the incident, which led to mass exploitation linked to the Clop ransomware gang. 

Thousands of companies, government agencies and other organizations were impacted by the attack spree, where millions of downstream customers had sensitive data stolen. 

“The SEC’s decision to conclude its investigation and not pursue any enforcement action represents a significant step forward for Progress,” a spokesperson for the company said via email. “We have cooperated fully and in good faith throughout the fact finding inquiry and are pleased with this outcome.”

The company is still dealing with extensive regulatory fallout from the Federal Trade Commission, state attorneys general and class action lawsuits. An SEC spokesman said the agency “does not comment on the existence or nonexistence of a possible investigation.”

The decision not to pursue enforcement actions comes just weeks after a federal district court dismissed most of the civil charges in an SEC case against SolarWinds. 

The SEC in October 2023 filed suit against SolarWinds and its CISO Timothy Brown, alleging the company misled investors about the company’s existing cybersecurity risks. 

The court ruled the SEC could not use existing laws based on maintaining financial controls to enforce controls over the company’s cybersecurity oversight. The court however did allow a core piece of the civil case based on claims made by SolarWinds in its security statement. 

Federal agencies have increasingly held companies and senior executives accountable in recent years in connection with their disclosures about cyber risk. 

The SEC reached a $3 million settlement with Blackbaud, a South Carolina-based educational software company, for misleading disclosures the company made in a 2020 ransomware attack. 

The former CSO of Uber was convicted in federal court of covering up a ransomware attack while the company was under investigation by the FTC in a prior data security case. 

The Department of Justice entered a non-prosecution agreement with Uber in connection with that case.

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell