Incident Overview On May 28, 2023, Progress Software Corporation discovered a zero-day vulnerability in their MOVEit Transfer application. This vulnerability could potentially allow unauthorized access to the system. The company quickly responded by notifying customers, taking down the MOVEit Cloud, and developing a patch to address the vulnerability.

Response and Mitigation Progress Software engaged leading cybersecurity experts to investigate and remediate the incident. Despite the breach, there is no evidence to suggest that the incident affected systems beyond the MOVEit products. These products constitute less than 4% of the company’s annual revenue.

Financial Impact As of August 31, 2023, the company reported $2.9 million in losses due to the attack. However, Progress Software held $15 million in cyber insurance policies at the time of the incident, with $10.1 million still available. Insurance recoveries have covered $1.9 million of the costs, leaving Progress with $1 million in direct costs. Despite the incident, the company’s revenue increased by 6% compared to the previous year, indicating minimal impact on the overall business.

Legal and Regulatory Actions Progress Software faces significant legal and regulatory scrutiny following the incident:

  • The SEC has launched an investigation into the incident, seeking various documents and information related to the vulnerability.
  • 58 class action lawsuits have been filed against Progress Software by individuals claiming to be impacted by the incident.
  • 23 customers and entities have sent letters indicating intent to seek indemnification.

Ongoing Efforts and Outlook The company continues to enhance its security measures and cooperate with regulatory bodies. Progress Software anticipates further costs related to professional services, litigation, and governmental inquiries. The potential outcomes of these legal proceedings and investigations are currently unpredictable but could be material.

For more detailed information, you can access the full SEC filing here.