Progress Software has borne minimal impact from the mass exploit of a zero-day vulnerability in its file-transfer service MOVEit despite supply chain compromises that have affected more than 2,100 organizations. Researchers say the data of at least 62 million people has been exposed by the attacks.
Progress reported $951,000 in cyber incident and vulnerability response expenses during its fiscal third quarter, which ended Aug. 31, and said more details will be included in its forthcoming 10-Q.
The cost represents 0.5% of the $175 million in revenue Progress reported during the quarter, which was up 6% year over year.
The impact on the overall business is "minimal" and it’s too early to assess the impact of any litigation, CEO Yogesh Gupta said Tuesday during the company’s earnings call.
“From the perspective of our customers actually, our customers have been extremely positive about what we've been doing for them,” Gupta said.
“We’re not really seeing what I would call meaningful impact from our customers at this point,” he said.
Progress doesn’t break out numbers for MOVEit’s financial performance on a standalone basis, but the company does say it represents less than 4% of its overall revenue.
Gupta didn’t directly answer a Wall Street analyst’s question about how many customers have moved off the platform since the spree of attacks occurred in late May.
Progress has declined multiple inquiries regarding how many organizations were using MOVEit when the previously unknown vulnerability was first discovered and widely exploited.
The zero-day vulnerability was disclosed and patched on May 31, but the damage was already done. Almost four months later, the fallout from the mass exploit is still spreading, making it the largest cyberattack thus far this year.
“Our quick and transparent response since the start of this incident has also given MOVEit customers confidence and we believe that it has helped with retaining our customers,” a MOVEit spokesperson told Cybersecurity Dive via email.
"This was a coordinated attack on our customers’ environments by a sophisticated criminal organization. MOVEit Transfer is on-premises software run within our customer’s environments, so we don’t have visibility into the data accessed by the cybercriminals. However, as we see disclosures in the media regarding the type of information that has been stolen, we empathize deeply with the individual end-users who have been impacted by this attack,” the company said.
"Progress has continued to work closely with our customers. We are committed to playing a collaborative role in the industrywide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products," MOVEit said.
Potential pain to come
While Progress hasn’t endured any significant consequences linked to the MOVEit mass exploit to date, that could change.
“We just don't know what the future litigation impact might be because it is so early, but in general customers have been, to be honest, really happy with our response,” Gupta said on the earnings call.
A month after the attacks, four impacted customers said they would seek indemnification from Progress and 11 class-action lawsuits were filed against the company by individuals, the company said in its 10-Q filing on July 7.
Consumer-rights law firm Hagens Berman filed five nationwide class-action lawsuits against Progress in August, accusing the company of negligence, unjust enrichment and breach of contract.
Hagens Berman, one of the firms selected to finalize a $350 million settlement T-Mobile agreed to pay following its 2021 breach, alleges the widely exploited vulnerability in MOVEit existed since 2021.
Progress expects to incur additional investigation, legal and other expenses related to the MOVEit vulnerability exploits, but said it can’t reasonably estimate a range of possible losses. The company has $12 million in cyber policy coverage available, which it plans to pursue to the maximum extent possible.
Customers bear brunt of damage
The downstream impact for organizations that were using the service at the time of attack, and their respective customers, is massive and growing.
Major financial institutions, law firms, insurance providers, schools, healthcare firms and government agencies have all been hit by this slow-moving disaster.
This lopsided impact underscores why the drumbeat of secure by design and secure by default principles is getting louder, according to Katell Thielemann, distinguished VP analyst at Gartner.
“The economic equation so far has put most of the burden of dealing with vulnerable products on the users, most of which are least likely to be able to deal with them,” Thielemann said via email.
“And the market forces have not really worked into forcing producers to care enough to prevent them in the first place,” Thielemann said.
The aspirational movement to shift responsibility for security in technology products and services to manufacturers and vendors is a core pillar of federal cyber authorities’ efforts outlined in the national cyber strategy.
“Many proponents of this shift argue that developers and manufacturers understand their products the best, and are also the centralized entity to issue patches, updates and other servicing solutions,” Amy Chang, resident senior cyber fellow of cybersecurity and emerging threats at R Street Institute, said via email.
This incident also highlights the “downstream impacts of vendors who had little recourse to remediate the effects of compromised software,” Chang said.
There should be repercussions for companies that fail to remediate known vulnerabilities, Chang said. But “to punish any company who fails to foresee consequences of vulnerabilities that have yet to be discovered or exploited would be unfair and have the potential to hamper innovation.”