MOVEit Data Breach Attacks Prompt Class-Action Lawsuit Against Progress Software

Progress Software, the maker of MOVEit cloud hosting and file-transfer services, is facing a class-action lawsuit in connection with cyberattacks that resulted from a software vulnerability.

The class-action lawsuit was filed on behalf of Louisiana residents Shavonne Diggs, Brady Bradberry and Christina Bradberry in the U.S. District Court for the District of Massachusetts. Last week, Louisiana and Oregon warned that millions of residents have had their data exposed as a result of the MOVEit Transfer mass-hack. The plaintiffs received notice of the breach from the Louisiana Department of Motor Vehicles.

U.S. government agencies, airlines and media companies, an oil giant, health services, international consulting firms, and many more were part of a larger cyberattack resulting in the theft of data believed to be carried out by the Russia-based Clop ransomware gang. Gen Digital, the parent company of top cybersecurity brands Norton, Avast, LifeLock, Avira and AVG, was among victims of the recent attacks.

Class-Action Lawsuit Allegations

According to Bloomberg Law, the class-action lawsuit plaintiffs alleged that Progress Software failed to implement adequate security measures, monitor its network, properly train its employees or provide timely notice of the incident. Information exposed in the breach included names, addresses, Social Security numbers, birthdates, demographic information, driver’s license numbers, and other personally identifiable information (PII) and financial information.

Among the lawsuit’s claims are negligence, breach of third-party beneficiary contract, unjust enrichment and declaratory judgment. The plaintiffs are seeking actual damages, statutory damages, equitable relief, restitution, disgorgement, attorneys’ fees and costs, lifetime credit-monitoring services, and injunctive relief.

Progress Software Responds to Class-Action Lawsuit

Progress Software sent us the following statement attributed to a MOVEit spokesperson:

“We do not comment on pending litigation as our focus remains on working closely with customers so they can take the steps needed to further harden their environments, including applying the patches we have released. We continue to work with leading cybersecurity experts and are committed to playing a collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”

$10 Million Reward for Info on Clop

Also this week, the U.S. State Department is offering a bounty of up to $10 million related to information on the Clop ransomware gang. A Twitter post says the agency is seeking information on the “identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.”

Tanium’s Timothy Morris

Timothy Morris, chief security advisor at Tanium, said Clop is a serious actor and the number of victims of data thefts using the MoveIT vulnerability aren’t fully known.

“Clop has used double-extortion attacks in the past by stealing and encrypting data, refusing to decrypt, and leaking or selling the exfiltrated data,” he said. “This is the trend with ransomware criminal gangs. Extortion is more lucrative than encryption-based ransomware alone. It is suspected that Clop has already stolen lots of data from many victims. While encryption hasn’t happened, how much data and from whom has still not been determined. They have used vulnerabilities in other file transfer software to plunder data.”

U.S. Government ‘Serious” About Clop

Offering a bounty of this size shows how serious the U.S. government is taking this group and their thievery, Morris said.

“As with any reward or bounty there are pros and cons,” he said. “They’re offered because they work. Ten million dollars is a lot of money. Most traffers or affiliates make a percentage of ransoms paid or have fixed incomes for $1,000-$2,000 a month. So, that large of a bounty would be enticing to them. However, offering a bounty could anger the criminal gang and cause more damage. They could escalate their tactics, publishing data, and publicly naming and shaming their victims.”

Fenix24’s Heath Renfrow

Heath Renfrow, co-founder of disaster recovery firm Fenix24, said the bounty is a warning sign to Clop that law enforcement has targeted them and, based on some recent arrests by law enforcement in relation to other cybercriminal gangs, it will most likely force Clop to dissolve or lay low for a bit and rise again as a new gang.

“For the most part, the cybercriminal element seems to be shying away from hitting critical infrastructure following the Colonial Pipeline ransomware event,” he said. “However, some groups will remain bold, and know that the payout of the ransom is high when the crippling of critical infrastructure is at stake. I believe the nation-state threat to critical infrastructure will continue to grow and become a considerable threat to our nation’s security and human life. In my view, we have entered a new era of warfare tactics where cyberattacks on critical infrastructure during or while on the precipice of war will become a regular tactic by all nations.”