In 2023, **Progress Software Corporation** suffered a critical **data breach** in its **MOVEit file transfer platform**, exploited by the Russian cybercriminal group **CL0P**. The attack compromised the personal data of **~85 million individuals**, with sensitive information leaked on the dark web. Plaintiffs alleged that Progress failed to implement **industry-standard cybersecurity measures**, including IP restrictions, file-type limitations, vulnerability audits, and real-time monitoring. The breach stemmed from **unpatched vulnerabilities**, delayed patching, and inadequate notification protocols. Legal proceedings revealed negligence in **designing secure software** and **vetting third-party vendors**, leading to lawsuits under **negligence, breach of contract, unjust enrichment, and state consumer protection laws**. Courts ruled that Progress and its clients (direct users and vendor contracting entities) had a **duty to enforce reasonable safeguards**, reinforcing liabilities for **poor vendor management and cybersecurity lapses**. The incident underscored systemic failures in **proactive threat detection, timely remediation, and compliance with data privacy statutes**, exposing victims to **identity theft, fraud, and reputational harm** while subjecting Progress to **multidistrict litigation and regulatory scrutiny**.
TPRM report: https://www.rankiteo.com/company/progress-software
"id": "pro5992159100325",
"linkid": "progress-software",
"type": "Breach",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '85 million individuals '
'(indirectly via clients)',
'industry': 'Technology (File Transfer Software)',
'location': 'Massachusetts, USA',
'name': 'Progress Software Corporation',
'type': 'Software Developer'},
{'customers_affected': '85 million (aggregated across '
'defendants)',
'industry': 'Multiple (e.g., Finance, Healthcare, '
'Education)',
'location': 'USA (various states)',
'name': 'Bellwether Defendants (Direct Users/Vendor '
'Contracting Entities)',
'type': ['Corporate Entities',
'Government Agencies',
'Educational Institutions']},
{'industry': 'Financial Services',
'name': 'Genworth (Bellwether Defendant)',
'type': 'Vendor Contracting Entity'},
{'name': 'MLIC (Bellwether Defendant)',
'type': 'Vendor Contracting Entity'},
{'name': 'PBI (Bellwether Defendant)',
'type': 'Vendor Contracting Entity'},
{'industry': 'Healthcare Technology',
'name': 'Welltok (Bellwether Defendant)',
'type': 'Vendor Contracting Entity'}],
'attack_vector': ['Exploitation of Software Vulnerability (MOVEit Platform)',
'Unauthorized Access',
'Data Exfiltration'],
'customer_advisories': ['Notifications sent to affected individuals (timing '
'criticized as delayed)'],
'data_breach': {'data_encryption': 'No (data was unencrypted during '
'exfiltration)',
'data_exfiltration': 'Yes (posted on dark web)',
'number_of_records_exposed': '85 million',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (includes highly sensitive '
'personal and corporate information)',
'type_of_data_compromised': ['PII (e.g., names, addresses, '
'SSNs)',
'Corporate data',
'Potentially medical/financial '
'records']},
'description': 'A data breach of Progress Software Corporation’s MOVEit file '
'transfer platform, carried out by the Russian cyberhacker '
'group CL0P in 2023, impacted approximately 85 million people. '
'The breach involved the exfiltration and posting of personal '
'information on the dark web, leading to multidistrict '
'litigation (MDL No. 1:23-md-03083-ADB) with allegations of '
'negligence, breach of contract, unjust enrichment, and '
'violations of state consumer protection laws. The Court '
'largely denied motions to dismiss, emphasizing the '
"defendants' duty to implement reasonable cybersecurity "
'safeguards.',
'impact': {'brand_reputation_impact': ['Significant damage due to '
'high-profile breach and litigation',
'Loss of customer trust'],
'customer_complaints': ['Multidistrict litigation by 85 million '
'affected individuals'],
'data_compromised': ['Personally Identifiable Information (PII)',
'Sensitive Corporate Data'],
'identity_theft_risk': ['High (PII exposed on dark web)'],
'legal_liabilities': ['Negligence claims',
'Breach of contract',
'Unjust enrichment',
'State consumer protection law violations '
'(e.g., Massachusetts Chapter 93A, CCPA)',
'Potential fines and settlements'],
'operational_impact': ['Legal proceedings (MDL litigation)',
'Reputation damage',
'Regulatory scrutiny'],
'systems_affected': ['MOVEit file transfer platform']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'Exploited vulnerability in MOVEit '
'file transfer platform',
'high_value_targets': ['PII databases',
'Corporate sensitive data']},
'investigation_status': 'Ongoing (litigation in progress as of July 2025)',
'lessons_learned': ['Implement industry-standard cybersecurity protocols '
'(e.g., IP restrictions, file type limits, monitoring).',
'Conduct regular security audits of software platforms '
'and vendor practices.',
'Ensure timely patching of vulnerabilities and breach '
'notifications.',
'Vet and audit third-party vendors’ security practices '
'rigorously.',
'Understand state-specific data protection laws to '
'mitigate legal risks.'],
'motivation': ['Financial Gain', 'Data Theft for Dark Web Sale', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Legal defenses in MDL '
'litigation.',
'Potential security '
'overhauls (not detailed in '
'ruling).',
'Heightened scrutiny of '
'vendor cybersecurity '
'practices.'],
'root_causes': ['Failure to implement reasonable '
'security safeguards (e.g., IP '
'restrictions, file type limits).',
'Inadequate auditing of MOVEit '
'platform security.',
'Delayed patching of known '
'vulnerabilities.',
'Slow breach notification process.',
'Lack of vendor security vetting '
'(for Bellwether Defendants).']},
'ransomware': {'data_encryption': 'No (primarily exfiltration, not encryption '
'for ransom)',
'data_exfiltration': 'Yes'},
'recommendations': ['Adopt zero-trust architecture for file transfer '
'platforms.',
'Enforce strict access controls (e.g., IP whitelisting, '
'MFA).',
'Deploy real-time monitoring for suspicious activity.',
'Establish clear incident response plans with defined '
'timelines for patching and notification.',
'Proactively engage with legal counsel to assess '
'compliance with state/federal laws.',
'Invest in vendor risk management programs.'],
'references': [{'source': 'District of Massachusetts Court Ruling (July 31, '
'2025)'},
{'source': 'In re: MOVEit Customer Data Security Breach '
'Litigation, MDL No. 1:23-md-03083-ADB'},
{'source': 'Amended Bellwether Complaint (2025)'}],
'regulatory_compliance': {'legal_actions': ['Multidistrict litigation (MDL '
'No. 1:23-md-03083-ADB)',
'Bellwether proceedings',
'Claims of negligence, breach of '
'contract, unjust enrichment, and '
'state consumer protection '
'violations'],
'regulations_violated': ['California Customer '
'Records Act (CCRA) – '
'partial dismissal',
'Wisconsin Deceptive Trade '
'Practices Act (WDPTA) – '
'dismissed for lack of '
'pecuniary loss',
'California Consumer '
'Privacy Act (CCPA) – '
'mixed rulings',
'Massachusetts Consumer '
'Protection Act (Chapter '
'93A) – claims survived',
'California '
'Confidentiality of '
'Medical Information Act '
'(CMIA) – dismissed',
'State data breach '
'notification statutes – '
'dismissed for Progress']},
'response': {'communication_strategy': ['Court filings',
'Public statements via legal '
'proceedings'],
'containment_measures': ['Patching vulnerabilities (delayed)',
'Notification to affected parties '
'(delayed)'],
'incident_response_plan_activated': 'Yes (though criticized for '
'slow patching and '
'notification)',
'remediation_measures': ['Legal defense in MDL litigation',
'Potential security audits '
'(post-breach)']},
'threat_actor': 'CL0P (Russian cyberhacker group)',
'title': 'MOVEit Customer Data Security Breach (2023)',
'type': ['Data Breach', 'Cyberattack', 'Ransomware (Data Exfiltration)'],
'vulnerability_exploited': ['Unspecified vulnerability in MOVEit file '
'transfer platform (known to CL0P)',
'Lack of IP restrictions',
'Lack of file type limitations',
'Inadequate monitoring for suspicious activity']}