Overview
On January 22, 2024, the Honorable Allison D. Burroughs of the United States District Court for the District of Massachusetts appointed Cohen Milstein’s Douglas J. McNamara as one of five co-leads to oversee this multidistrict litigation (MDL) involving dozens of class actions from around the country regarding a massive data breach which impacted more than 2,500 organizations and more than 67 million individuals worldwide.
The data breach, which was discovered in May 2023, was linked to Progress Software Corp.’s file-sharing software, MOVEit Transfer, which is used by thousands of organizations around the world to move large amounts of often-sensitive data over the internet. Allegedly starting as early as 2021, a ransomware group known as Clop (aka C10p) hacked the MOVEit servers, stealing customers’ sensitive data stored within. Affected entities include hospitals, banks, businesses, governments, pension funds, universities, among others.
Plaintiffs in the MDL accuse Progress of failing to reasonably secure consumers’ personal information.
Case Background
Progress Software sells MOVEit Transfer, an “On-Premises” Managed File Transfer (MFT) software designed for “for secure collaboration and automated file transfers of sensitive data in compliance with SLAs, governance and data protection regulations” which can “[a]ssure the secure and compliant transfer of protected data.”
Progress also sells “MOVEit Cloud: Managed File Transfer as-a-Service” which it describes as a “trusted and proven SaaS solution,” that “provides full security, reliability and compliance with the convenience of a cloud-based service,” allowing customers to enjoy “best in class security….”
Progress’s MOVEit Transfer and MOVEit Cloud servers contained Personally Identifiable Information (PII) and Protected Health Information (PHI) (collectively, “Personal Information” of individuals, including Plaintiffs and Class members. According to the Federal Trade Commission (FTC), PII is “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” PHI is deemed private under the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §§ 1320d, et seq., as well as multiple state statutes. According to the U.S. Department of Health & Human Services (HHS), PHI “is information, including demographic data,” that relates to: “the individual’s past, present or future physical or mental health or condition,” “the provision of health care to the individual,” or “the past, present, or future payment for the provision of health care to the individual,” and that “identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.” “Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, SSN).”
As alleged in Plaintiffs complaint, filed on October 20, 2023, Plaintiffs’ personal data was accessed and exposed by an unauthorized third-party in a data breach concerning Progress’s MOVEit Transfer and MOVEit Cloud software, which Progress first learned of on May 28, 2023.
The Data Breach began when, according to a U.S. Cybersecurity and Infrastructure Agency (“CISA”) and FBI alert, “the CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE 2023-34362) in Progress Software’s managed file transfer solution known as MOVEit Transfer beginning in May 2023. Internet-facing MOVEit Transfer web applications were infected with a specific malware used by CL0P, which was then used to steal data from underlying MOVEit Transfer databases.”
Shortly after the discovery of the breach, Progress reported it to customers on May 30, 2023, and reported it to the SEC and its investors on June 5, 2023. Over the course of the next few weeks, Progress allegedly continued to keep customers and investors apprised of further detailed code review to uncover additional vulnerabilities that could potentially be used by a bad actor to stage and exploit MOVEit Transfer and MOVEit Cloud further and alerted them to such risks and potential exploitation, and apprised them that certain customers had indeed reported of being exploited.
According to Emsisoft Ltd., an anti-malware and anti-virus software company, 2,546 organizations were impacted by the Data Breach as of October 11, 2023, including the records of approximately 64.5 million individuals, where the United States accounts for 84.1% of known impacted organizations.
Emsisoft noted that some organizations were impacted through using “a vendor which used a contractor which used a subcontractor which used MOVEit” while other organizations have had MOVEit exposure via multiple vendors.” Emsisoft also noted “significant potential for the stolen data to be used in spear phishing, BEC scams, etc., meaning that this one crime could act as an enabler for many other crimes.”
CL0P has previously attacked file transfer platforms in similar attacks against Accellion File Transfer Appliances (FTA) in 2020 and 2021, SolarWinds Servers in 2021, and Fortrar/Linoma GoAnywhere MFT servers in 2023.
Progress’s failure to reasonably secure consumers’ Personal Information including PII and PHI from the foreseeable risk of its being stolen through its vulnerable MOVEit software, as exploited by CL0P, caused the Data Breach.