Progress Software disclosed that it has received a from the SEC to share information relating to the vulnerability in its file transfer software, , which became the subject of a massive exploit beginning last May. According to the filing, the investigation is presently a “fact-finding inquiry,” and there’s no indication at this time that Progress has “violated federal securities laws.” The company intends to cooperate with the SEC.
One by cybersecurity software company Emsisoft estimates that the MOVEit breach exposed the information of at least 64 million individuals through 2,547 affiliated organizations. Among the organizations impacted by the zero-day vulnerability are the Louisiana Office of Motor Vehicles and the Colorado Department of Health Care Policy and Financing. its employee data was compromised in the exploit earlier this month. And Michigan-based financial services provider, Flagstar Bank, sent its customers that said records had been stolen (they’ll now receive free identity monitoring services for two years.)
The culprits of the attack — the CL0P ransomware gang — “helped pioneer the practice of double-extortion,” according to . In this sort of scheme, the ransomers both encrypt the target’s data and threaten to leak said data (unless they’re paid.) The group have since made to leak some of the data they’ve exfiltrated in the MOVEit hack, from companies like Kirkland and TD Ameritrade. The FBI have since up to $10 million to anyone with information that could link CL0P to any particular foreign government.
The true cost (both to victims and Progress Software) remain unknown at this time. But some of the affected customers have begun seeking restitution for the breach. Progress disclosed in the same regulatory filing that it is a party to 58 class action lawsuits at this time. Many of those may be consolidated as they progress, but they still present the possibility of enormous civil penalties.