In a surprising move, the U.S. Securities and Exchange Commission (SEC) has decided not to bring charges against Progress Software over last year’s MOVEit software supply chain attack that exposed the data of millions of people.
The attack, which was carried out by the Cl0p ransomware group, exploited a zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) product. This flaw, known as CVE-2023-34362, allowed the attackers to gain unauthorized access and steal sensitive data from a wide range of organizations worldwide.
According to an August 6 Form 8-K filing, the SEC’s Division of Enforcement concluded its investigation into Progress Software’s handling of the incident and decided not to recommend any enforcement action.
High-Profile Targets and Scale of Victims
The MOVEit vulnerability exploit had impacted over 2,000 organizations and over 62 million individuals, with the majority of victims being from the United States.. High-profile victims include the BBC, Shell, Radisson Hotels Americas, and Johns Hopkins University.
The education sector has been particularly hard hit, with around 10% of the affected organizations being educational institutions, including some of the world’s top universities. Threat actors are often drawn to the wealth of valuable data held by these institutions, including personally identifiable information, financial records, and intellectual property.
The vulnerability, CVE-2023-34362, allowed unauthenticated users to access the MOVEit Transfer database, execute code, and alter or delete database elements. The attack was carried out using a combination of social engineering and exploitation of the vulnerability, with the attackers gaining access to the data of clients who were using MOVEit services.
SEC Decides To Not Investigate Progress Software Further
The U.S. Securities and Exchange Commission (SEC) has decided not to bring charges against Progress Software over the 2023 MOVEit software supply chain attack. In its Form 8-K filing, it stated:
On August 6, 2024, the Securities and Exchange Commission’s Division of Enforcement (the “SEC”) notified Progress Software Corporation (the “Company”) that the SEC has concluded its investigation of the Company and does not intend to recommend an enforcement action against the Company at this time (the “Termination Letter”). As previously disclosed, the Company received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability. The Termination Letter was provided under the guidelines set out in the final paragraph of Securities Act Release No. 5310.
Earlier this year, Progress Software had warned against the existence of the new CVE-2024-5806 vulnerability, which could potentially lead to unauthorized access to sensitive data within its MOVEit Transfer solution.