Summary: The SEC has concluded its investigation into Progress Software’s response to the MOVEit Transfer zero-day vulnerability that led to significant data breaches affecting over 95 million individuals, deciding not to recommend enforcement action against the company. Despite this, Progress Software is still facing numerous class-action lawsuits related to the incident.
Threat Actor: Clop ransomware gang | Clop ransomware gang
Victim: Progress Software | Progress Software
Key Point :
- The SEC found no grounds for enforcement action against Progress Software regarding the MOVEit vulnerability.
- Over 2,770 companies and 95 million individuals were affected by the data theft linked to the Clop ransomware gang’s exploitation of the flaw.
- Progress Software is currently facing hundreds of class-action lawsuits despite the SEC’s decision.
- The Clop gang is estimated to have potentially earned between $75-100 million from ransom payments due to the attacks.
The SEC has concluded its investigation into Progress Software’s handling of the widespread exploitation of a MOVEit Transfer zero-day flaw that exposed data of over 95 million people.
In a new FORM 8-K filing with the SEC, Progress Software says that the SEC’s Division of Enforcement will not recommend any enforcement action regarding the security incident.
“The SEC has notified Progress that it does not intend to recommend an enforcement action against the company at this time,” reads the Thursday evening SEC filing.
“As previously disclosed, Progress received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability.”
The SEC has been investigating Progress Software’s handling of widespread data theft attacks conducted through a zero-day vulnerability in the MOVEit Transfer software.
As first reported by BleepingComputer, during the 2023 Memorial Day holiday weekend, the Clop ransomware gang took advantage of the zero-day vulnerability to launch a large-scale data theft campaign against companies worldwide.
According to Emsisoft, which has been tracking the impact of the attacks, over 2,770 companies and 95 million people had data stolen through the zero-day flaw.
The Clop gang was projected to earn between $75-100 million in ransom payments due to the broad impact of the attacks, which included government agencies, financial firms, healthcare orgs, airlines, and educational institutions.
While the SEC is not recommending any action, Progress Software still faces hundreds of class-action lawsuits centralized in the Massachusetts federal courts.