The extensive cyberattack on MOVEit, which resulted in the exposure of personal data for a minimum of 64 million individuals, is currently the subject of an active investigation by U.S. securities regulatory authorities. This revelation comes directly from the software developer, Progress Software.
In a regulatory filing published this week, Progress Software disclosed that it had received a subpoena from the U.S. Securities and Exchange Commission (SEC), compelling the submission of a comprehensive set of information and documents pertaining to the MOVEit vulnerability exploitation.
It’s important to clarify that the SEC’s inquiry is oriented towards gathering facts and does not automatically imply any violation of federal securities laws by Progress or any other party. Progress Software has also expressed its full cooperation with the SEC’s requests while the investigation remains ongoing.
Furthermore, the filing by Progress Software notes an expectation of limited financial repercussions resulting from the mass-scale breaches associated with MOVEit, despite the substantial scope of the incident. The company stated that it had incurred costs amounting to $1 million related to addressing the MOVEit flaw, taking into account both received and anticipated insurance payouts, totaling around $1.9 million.
Nevertheless, Progress Software acknowledges the possibility of incurring losses related to this incident, especially after 23 of its affected customers initiated legal action against the company, intending to seek indemnification. Additionally, 58 class action lawsuits have been filed by individuals who claim to have been impacted by the incident.
The precise count of affected MOVEit Transfer customers remains uncertain, even though almost six months have passed since the discovery of the MOVEit zero-day vulnerability. Cybersecurity firm Emsisoft disclosed that 2,546 organizations have confirmed being affected, estimated to be more than 64 million individuals. Notably, new victims continue to emerge. For instance, last week, Sony confirmed that over 6,000 of its employees had their data breached in a MOVEit-related cyberattack. Also, Flagstar Bank revealed that more than 800,000 customer records had been exfiltrated.
RELAYING BACK TO THE NOVEMBER CYBER BREACH:
The Progress Software fillings reveals an anticipated expenditure of $4.2 million in connection with the Cyber breach in November 2022.
Although the filing provides limited specifics about the breach, a Progress Software representative, John Eddy, speaking on behalf of the company through a third-party agency, affirmed that Progress Software had identified signs of an unauthorized intrusion into its corporate network, with evidence of certain company data compromise. Progress Software officially disclosed this breach in December 2022.
The Business entity (Progress Software), has refrained from disclosing the nature of the compromised data or the extent of the impact on individuals. The company attributes the incurred expenses primarily to the engagement of external cybersecurity experts and other incident response security professionals. Additionally, they indicate that they have received insurance payouts totaling approximately $3 million to offset some of these costs.
Please do let us know in the comment section what are your thoughts about this.