Article Details

SEC ends probe into MOVEit attacks impacting 95 million people. The SEC has concluded its investigation into Progress Software’s handling of the widespread exploitation of a MOVEit Transfer zero-day flaw that exposed data of over 95 million people. In a new FORM 8-K filing with the SEC, Progress Software says that the SEC's Division of Enforcement will not recommend any enforcement action regarding the security incident. "The SEC has notified Progress that it does not intend to recommend an enforcement action against the company at this time," reads the Thursday evening SEC filing. "As previously disclosed, Progress received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability." The SEC has been investigating Progress Software’s handling of widespread data theft attacks conducted through a zero-day vulnerability in the MOVEit Transfer software. As first reported by BleepingComputer, during the 2023 Memorial Day holiday weekend, the Clop ransomware gang took advantage of the zero-day vulnerability to launch a large-scale data theft campaign against companies worldwide. According to Emsisoft, which has been tracking the impact of the attacks, over 2,770 companies and 95 million people had data stolen through the zero-day flaw. The Clop gang was projected to earn between $75-100 million in ransom payments due to the broad impact of the attacks, which included government agencies, financial firms, healthcare orgs, airlines, and educational institutions. While the SEC is not recommending any action, Progress Software still faces hundreds of class-action lawsuits centralized in the Massachusetts federal courts.