U.S. securities regulators have opened a probe into the MOVEit mass-hack that has uncovered the non-public knowledge of a minimum of 64 million individuals, in keeping with the corporate that made the affected software program.
In a regulatory submitting this week, Progress Software program confirmed it had acquired a subpoena from the U.S. Securities and Change Fee (SEC) searching for “numerous paperwork and data” regarding the MOVEit vulnerability. “The SEC investigation is a fact-finding inquiry, the investigation doesn’t imply that Progress or anybody else has violated federal securities legal guidelines,” Progress stated, including that it intends to “cooperate absolutely” with the investigation.
Progress additionally stated within the submitting that it expects to see minimal monetary impression from the MOVEit mass-hacks, regardless of the broad scale of the incident.
The corporate stated it incurred $1 million of prices associated to the MOVEit vulnerability, as soon as it had taken under consideration acquired and anticipated insurance coverage payouts of roughly $1.9 million.
Nevertheless, Progress notes {that a} loss from this incident stays potential after 23 affected prospects launched authorized motion in opposition to the corporate and “intend to hunt indemnification.” Progress stated {that a} additional 58 class motion lawsuits have been filed by people who declare to be affected.
Whereas it’s virtually six months on from the invention of the MOVEit zero-day vulnerability, the precise variety of impacted MOVEit Switch prospects stays unknown, although cybersecurity firm Emsisoft studies that 2,546 organizations have to date confirmed to be affected, impacting greater than 64 million people.
New victims proceed to return ahead. Final week, Sony confirmed that greater than 6,000 workers had knowledge accessed in a MOVEit-related incident, and Flagstar Financial institution stated greater than 800,000 buyer data had been stolen.
November security incident
Progress Software program stated within the submitting that it expects to incur further prices of $4.2 million associated to a separate cybersecurity incident in November 2022.
The submitting doesn’t reveal any particulars concerning the incident, however John Eddy, a Progress spokesperson representing the corporate by way of a third-party company, confirmed that Progress Software program on the time uncovered proof of unauthorized entry to Progress’ company community, together with proof that sure firm knowledge has been exfiltrated. Progress disclosed the incident in December 2022.
The corporate confirmed that prices associated to this incident “had been primarily associated to the engagement of exterior cybersecurity specialists and different incident response professionals” and famous that it acquired roughly $3 million in insurance coverage payouts.