SEC decides not to penalise Progress Software over MOVEit fiasco

The U.S. Securities and Exchange Commission has decided not to penalise Progress Software, the developer of file transfer software MOVEit, for a significant security incident that impacted hundreds of organisations worldwide.

In May 2023, the infamous Clop ransomware group exploited a zero-day vulnerability in the MOVEit Transfer file transfer application and victimised more than 2,600 companies globally. The incident compromised the sensitive personal information of nearly 96 million people worldwide, leaving them vulnerable against cyber crimes including identity theft and more.

While the company released security patches soon after the vulnerability was identified and the organisations applied the patches, the Clop ransomware group started listing the victimised companies on its data leak site and demanded ransom payments from them.

In a new FORM 8-K filing with the Securities and Exchange Commission (SEC), Progress Software said that SEC’s Division of Enforcement “does not intend to recommend an enforcement action against the Company at this time.”

“As previously disclosed, the Company received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability. The Termination Letter was provided under the guidelines set out in the final paragraph of Securities Act Release No. 5310,” reads the filing.

The data security incident affected several major organisations globally, with a majority of those located in the US. According to German market research company KonBriefing, hackers have used the vulnerability to victimise over 2,600 organisations worldwide, of which 2290 are based in the U.S., and accessed the information of more than 90 million people so far.