The US Securities and Exchange Commission (SEC) has concluded its investigation into Progress Software’s handling of the MOVEit software supply chain attack that exposed the data of millions of people in 2023 [3].
Description
Progress Software will not face charges from the SEC regarding the exploitation of MOVEit Transfer zero-day vulnerabilities. Progress Software was informed by the SEC that no enforcement action would be recommended for the MOVEit Transfer vulnerability affecting 95 million people [1]. Progress cooperated with the SEC’s fact-finding inquiry and provided documents related to the flaw [1]. The zero-day vulnerability [3], an SQL injection weakness in the managed file transfer (MFT) product [3], was discovered by Progress in June 2023 [3]. The Clop ransomware gang used this vulnerability to conduct a large-scale data theft campaign affecting 2773 organizations and over 95 million individuals. The Clop ransomware gang exploited the MOVEit bug in May 2023 [1], impacting governments [1], financial institutions [1], and other organizations globally [1]. Additionally, Progress Software disclosed two new vulnerabilities in its MOVEit file transfer products in June 2024 [3]. The SEC’s decision not to take enforcement action may be attributed to Progress Software’s cooperation and lack of negligence in cybersecurity practices [1]. Experts suggest that the zero-day nature of the exploit and ongoing litigation against Progress Software may have influenced the SEC’s decision [1]. The SEC’s focus on addressing institutional issues like fraud may have also played a role in their decision [1]. Organizations are reminded of the importance of vetting third-party applications and conducting rigorous security assessments in light of the incident [1]. Progress Software is still facing regulatory challenges from the Federal Trade Commission [2], state attorneys general [2], and class action lawsuits [2], following the SEC’s conclusion of its investigation. This decision comes shortly after a federal district court dismissed most civil charges in an SEC case against SolarWinds [2], highlighting the increasing accountability of companies and executives in disclosing cyber risks [2]. The SEC’s settlement with Blackbaud for misleading disclosures in a ransomware attack and the conviction of Uber’s former CSO for covering up a ransomware attack further underscore the importance of transparency in cybersecurity incidents [2].
Conclusion
The SEC’s decision not to pursue enforcement action against Progress Software underscores the importance of cooperation and transparency in cybersecurity incidents. Organizations must prioritize security assessments and vetting of third-party applications to mitigate risks and ensure data protection. The increasing accountability of companies and executives in disclosing cyber risks highlights the need for proactive cybersecurity measures and transparent communication in the face of evolving threats.
References
[1] https://www.scmagazine.com/news/sec-takes-no-action-on-progress-software-for-moveit-transfer-case
[2] https://www.cybersecuritydive.com/news/progress-sec-declines-action-rmoveit/723707/
[3] https://www.infosecurity-magazine.com/news/sec-progress-moveit-no-charges/
