Progress Software shakes off MOVEit’s financial consequences, maintains customers

MOVEit customer retention levels remained stable in the second half of 2023, despite a spree of attacks against a zero-day vulnerability in MOVEit last spring, Progress Software executives said Tuesday on the company’s earnings call.

The file-transfer service was among Progress Software’s stronger performing products, contributing in part to the company's 13% year-over-year growth in revenue, which reached $177 million for the fiscal fourth quarter, ending Nov. 30.

“MOVEit performed well in the first half of 2023 and it held up in the second half of 2023,” CFO Anthony Folger said on the call. Folger specifically called out the file-transfer service for contributing to the company’s 17% year-over-year growth in annualized recurring revenue of $574 million.

Absent significant financial damages, which could come later from class-action lawsuits, legal claims from customers and regulatory investigations, Progress remains confident in MOVEit’s future and is, for the time being, shaking off potentially major negative consequences.

This quick bounceback is common among most companies impacted by such cyberattacks, according to Katell Thielemann, distinguished VP analyst at Gartner.

“There is a stickiness to these products, so it is not easy to just rip and replace them, and downstream victims have very little clout in mandating what tools their vendors should use,” Thielemann said. “A more long-term impact will play out in the courts.”

Progress anticipates more legal costs

MOVEit zero-day exploits directly compromised at least 100 customers, but the Clop ransomware group used that access to ultimately steal data from at least 2,700 organizations, exposing more than 93 million personal records.

Progress bore some financial costs from the MOVEit attacks, including $1 million in cyber incident and vulnerability response expenses during Q4. The company incurred almost $1 million in cyber incident costs during the previous quarter as well, after insurance recoveries kicked in.

The company, in an 8-K filing with Securities and Exchange Commission, said it expects to incur additional legal and professional services expenses associated with the MOVEit vulnerability. “We do not expect to incur additional costs associated with the cyber incident as the investigation is closed,” the company said.

The SEC’s formal inquiry into the matter, which Progress was informed of via subpoena on Oct. 2, remains underway.

“From my perspective, we have actually done everything in our power to help our customers harden their environment, deal with the incident that they faced and move forward, and we continue to do so,” CEO Yogesh Gupta said on the earnings call.

“We're really proud of being able to keep our customers, and the customers have been loyal to us,” Gupta said. “It's been a really wonderfully positive set of outcomes. Obviously a huge challenge and still a lot of unresolved legal issues and regulatory issues, but from a customer perspective, we continue to be very positive about MOVEit.”

MOVEit remains a critical tool for many industries

Progress hasn’t reported how many customers use MOVEit, but the company sells dozens of business applications and services that are used by more than 100,000 enterprises globally.

The widely exploited zero-day vulnerability in MOVEit was one of eight CVEs disclosed in the file-transfer service since June.

“It’s a huge and impactful vulnerability. It’s really bad obviously, it impacted so many of their clients and so many of their clients’ clients,” said Allan Liska, threat intelligence analyst at Recorded Future. “But because it was a zero-day, I don’t think people are necessarily going to say that they were negligent in any way.”

This is a key distinction from products from other vendors, such as Citrix.

“Citrix is still really popular, but there are fewer and fewer Citrix customers in part because it’s constantly being exploited and patched, and exploited and patched, and so on,” Liska said. “Because it’s such a big target, we see some clients moving away from Citrix because they see it as a liability in their network.”

Customer reactions haven’t reached that point with MOVEit yet, Liska said.

Organizations are notoriously hesitant to change IT vendors. The task is arduous and highlights how critical some pieces of software are to major industries.

“Generally, IT vendors need to do something egregious, like hide the issue, to experience significant churn,” said Zeus Kerravala, principal analyst at ZK Research. “In this case Progress informed their customers when they found out and fixed it as soon as possible,” Kerravala said.

Customers shouldn’t be so forgiving and hold vendors accountable more often, according to Kerravala.

“Letting them off the hook is more an act of laziness than anything,” Kerravala said. “Moving vendors is a lot of work but working with one that continues to be breached causes more work down the road.”

While Progress reported a revenue increase in the quarter, its operating margin dipped from 19% to 13% year over year and net income declined 35% over the same period to $15.3 million.