The direct impact and potential aftermath coming for Progress Software, makers of the widely exploited MOVEit file-transfer service, came into clearer view Tuesday in the company’s 10-Q filing with the Securities and Exchange Commission.
Costs related to the still unraveling cyberattacks against MOVEit environments and the company’s response reached $2.9 million through the end of August, though the company only directly incurred $1 million in costs after insurance recoveries kicked in.
The SEC formally inquired into the matter as well when the financial regulatory agency issued a subpoena to Progress on Oct. 2 seeking documents and information related to the MOVEit vulnerability.
Progress maintains the investigation does not mean it or anyone else has violated federal securities laws.
"We are cooperating with the SEC’s fact-finding investigation and are continuing to engage with the cybersecurity community in support of the industrywide effort to combat advanced and persistent cybercriminals using sophisticated, multistage attacks to exploit zero-day vulnerabilities,” a company spokesperson said via email.
“We remain focused on supporting our customers, including promptly and transparently sharing information about the coordinated attack on our customers' environments,” the spokesperson said.
Legal turmoil ahead
While Progress has endured minimal business impact from the mass-exploit of a zero-day vulnerability in MOVEit and the subsequent spree of ransomware attacks against its customers to date, a growing number of class-action lawsuits and claims filed by customers will lead to further costs for the company.
By the end of August, Progress said it had received formal letters from 23 customers and others claiming impacts from the attacks, and some indicated plans to seek restitution from the company.
Progress also received a subrogation claim from an insurer seeking recovery for expenses incurred by the MOVEit attacks. The company is party to 58 class-action lawsuits filed by individuals claiming impacts from the data stolen in MOVEit customers’ environments.
While Progress has insurance coverage, its balance is dwindling after recoveries from MOVEit and a cyberattack last November, which it got $3 million in insurance for.
All told, Progress said in an SEC filing it has $10.1 million of insurance coverage remaining.
An investigation into the November incident, which Progress disclosed the following month in an 8-K filing with the SEC, uncovered evidence of unauthorized access to Progress’ corporate network and corporate data theft.
“The company remained fully operational throughout that incident and it was since fully resolved,” a company spokesperson told Cybersecurity Dive. “This issue was not related to any recently reported software vulnerabilities."